Mercurial > hg > nginx-site
comparison xml/en/docs/njs/security.xml @ 2924:bd8482c5a7fe
Added "Security" section in njs.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Thu, 05 Jan 2023 16:26:20 +0000 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
2923:ef7f2666cc09 | 2924:bd8482c5a7fe |
---|---|
1 <?xml version="1.0"?> | |
2 | |
3 <!-- | |
4 Copyright (C) Nginx, Inc. | |
5 --> | |
6 | |
7 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> | |
8 | |
9 <article name="Security" | |
10 link="/en/docs/njs/security.html" | |
11 lang="en" | |
12 rev="1" | |
13 toc="no"> | |
14 | |
15 <section> | |
16 | |
17 <para> | |
18 All njs security issues should be reported to | |
19 <literal>security-alert@nginx.org</literal>. | |
20 </para> | |
21 | |
22 <para> | |
23 Patches are signed using one of the | |
24 <link doc="../../pgp_keys.xml">PGP public keys</link>. | |
25 </para> | |
26 | |
27 </section> | |
28 | |
29 | |
30 <section id="considerations" name="Special considerations"> | |
31 | |
32 <para> | |
33 njs does not evaluate dynamic code | |
34 and especially the code received from the network in any way. | |
35 The only way to evaluate that code using njs | |
36 is to configure the | |
37 <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> | |
38 directive in nginx. | |
39 JavaScript code is loaded once during nginx start. | |
40 </para> | |
41 | |
42 <para> | |
43 In nginx/njs threat model, JavaScript code is considered a trusted source | |
44 in the same way as <literal>nginx.conf</literal> and sites certificates. | |
45 What this means in practice: | |
46 | |
47 <list type="bullet"> | |
48 | |
49 <listitem> | |
50 memory disclosure and other security issues | |
51 triggered by JavaScript code modification | |
52 are not considered security issues, but as ordinary bugs | |
53 </listitem> | |
54 | |
55 <listitem> | |
56 measures should be taking for protecting JavaScript code used by njs | |
57 </listitem> | |
58 | |
59 <listitem> | |
60 if no <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> | |
61 directives are present in <literal>nginx.conf</literal>, | |
62 nginx is safe from JavaScript-related vulnerabilities | |
63 </listitem> | |
64 | |
65 </list> | |
66 </para> | |
67 | |
68 </section> | |
69 | |
70 | |
71 </article> |