From 85e6c7b0ee160be8ec7b00ccbea710ca87492e98 Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Tue, 17 Feb 2026 16:54:03 +0100 Subject: [PATCH] doc: clarify build environment is trusted in threat model Add build system attacks (command injection via environment variables, path hijacking, file permissions) to the list of non-vulnerabilities. The build environment is a trusted element and these scenarios require an already-compromised system. --- SECURITY.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 6213ca3d43a704..3a543216723c66 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -335,6 +335,21 @@ the community they pose. proper security boundaries between trusted application logic and untrusted user input. +#### Build System Attacks Requiring Control of the Build Environment (CWE-78, CWE-114, CWE-276) + +* The Node.js build system (e.g., `configure`, `configure.py`, `Makefile`, + `vcbuild.bat`) is designed to run in a trusted build environment. + The build environment, including environment variables, the file system, + and locally installed tools, is a trusted element in the Node.js threat model. +* Reports about command injection via environment variables in build scripts + (e.g., `CC`, `CXX`, `PKG_CONFIG`, `RUSTC`), path hijacking in build output + directories, or file permissions of build artifacts are **not** considered + vulnerabilities. These scenarios require the attacker to already have control + over the build environment, which means the system is already compromised. +* Build scripts are not a security boundary. They are expected to execute + tools and scripts specified by the environment, and to trust the + file system they operate on. + #### Unhandled 'error' Events on EventEmitters (CWE-248) * EventEmitters that can emit `'error'` events require the application to