Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,16 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
* The developers and infrastructure that run it.
* The operating system that Node.js is running under and its configuration,
along with anything under the control of the operating system.
* The deployment network environment for the privacy of traffic and routing
decisions, including internal networks through which Node.js traffic passes
and configured HTTP(S) proxy servers. Built-in proxy support is intended to
route traffic through proxies authorized for the deployment, often because a
firewall requires one to access external networks. It is not intended to hide
traffic from network operators or authorities governing the deployment.
Untrusted or unauthorized proxies, as well as deployment policy or legal
compliance controls around proxy use, are the responsibility of the deployment
operator and are outside this threat model. This does not change that data
parsed from network protocol peers is untrusted as described above.
* The code it is asked to run, including JavaScript, WASM and native code, even
if said code is dynamically loaded, e.g., all dependencies installed from the
npm registry or libraries loaded via `node:ffi`.
Expand Down Expand Up @@ -301,6 +311,19 @@ the community they pose.
client consuming unsolicited or misordered responses within the same HTTP/1.1 connection
reuse lifecycle are generally not considered Node.js vulnerabilities.

#### Unauthorized or untrusted HTTP proxy deployments

* Built-in HTTP proxy support is intended for routing outbound requests through
a proxy authorized by the deployment, for example because a firewall requires
one to reach external networks. It is not an anonymity, traffic-hiding, or
policy-evasion feature.
* Reports that depend on using an unauthorized proxy, expecting Node.js to
provide privacy from a configured proxy or internal network, or expecting
Node.js to enforce deployment-specific network policy or legal requirements
are not considered Node.js vulnerabilities. Deployment operators are
responsible for hardening such environments and controlling which proxy
settings are allowed.

#### Malicious Third-Party Modules (CWE-1357)

* Code is trusted by Node.js. Therefore any scenario that requires a malicious
Expand Down
15 changes: 13 additions & 2 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -3411,9 +3411,14 @@ added:
> Stability: 1.1 - Active Development

When enabled, Node.js parses the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
environment variables during startup, and tunnels requests over the
environment variables during startup, and routes requests through the
specified proxy.

Use this only with proxies that are trusted and authorized for the deployment.
Proxy support is intended for reaching external networks through authorized
proxy servers, for example when a firewall requires one. It is not for hiding
traffic or evading network policy. See [Built-in Proxy Support][].

This is equivalent to setting the [`NODE_USE_ENV_PROXY=1`][] environment variable.
When both are set, `--use-env-proxy` takes precedence.

Expand Down Expand Up @@ -4097,9 +4102,14 @@ added:
> Stability: 1.1 - Active Development

When enabled, Node.js parses the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
environment variables during startup, and tunnels requests over the
environment variables during startup, and routes requests through the
specified proxy.

Use this only with proxies that are trusted and authorized for the deployment.
Proxy support is intended for reaching external networks through authorized
proxy servers, for example when a firewall requires one. It is not for hiding
traffic or evading network policy. See [Built-in Proxy Support][].

This can also be enabled using the [`--use-env-proxy`][] command-line flag.
When both are set, `--use-env-proxy` takes precedence.

Expand Down Expand Up @@ -4405,6 +4415,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
<!-- v8-options end -->

[#42511]: https://github.com/nodejs/node/issues/42511
[Built-in Proxy Support]: http.md#built-in-proxy-support
[Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
[Chromium's policy for locally trusted certificates]: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#does-the-chrome-certificate-verifier-consider-local-trust-decisions
[CommonJS module]: modules.md
Expand Down
16 changes: 16 additions & 0 deletions doc/api/http.md
Original file line number Diff line number Diff line change
Expand Up @@ -4573,6 +4573,22 @@ support.

If the request is made to a Unix domain socket, the proxy settings will be ignored.

### Proxy security considerations

Built-in proxy support routes outbound requests through an HTTP(S) proxy, often
because a firewall requires one to access external networks. It is not an
anonymity or traffic-hiding feature and does not attempt to hide traffic from
the proxy, the local network, network operators, or authorities that govern the
deployment.

Configure only proxies that are trusted and authorized for the deployment. A
proxy can observe connection metadata; for plain HTTP requests, or when TLS is
terminated or intercepted by the proxy, it can also observe request and response
contents. Node.js does not support treating an untrusted proxy as a privacy
boundary. Deployment operators are responsible for controlling proxy
configuration and for meeting deployment-specific network policy and legal
requirements.

### Proxy URL Format

Proxy URLs can use either HTTP or HTTPS protocols:
Expand Down
12 changes: 10 additions & 2 deletions doc/node.1
Original file line number Diff line number Diff line change
Expand Up @@ -1652,8 +1652,12 @@ See \fBSSL_CERT_DIR\fR and \fBSSL_CERT_FILE\fR.
.
.It Fl -use-env-proxy
When enabled, Node.js parses the \fBHTTP_PROXY\fR, \fBHTTPS_PROXY\fR and \fBNO_PROXY\fR
environment variables during startup, and tunnels requests over the
environment variables during startup, and routes requests through the
specified proxy.
Use this only with proxies that are trusted and authorized for the deployment.
Proxy support is intended for reaching external networks through authorized
proxy servers, for example when a firewall requires one. It is not for hiding
traffic or evading network policy. See Built-in Proxy Support.
This is equivalent to setting the \fBNODE_USE_ENV_PROXY=1\fR environment variable.
When both are set, \fB--use-env-proxy\fR takes precedence.
.
Expand Down Expand Up @@ -2316,8 +2320,12 @@ variable is strongly discouraged.
.It Ev NODE_USE_ENV_PROXY Ar 1

When enabled, Node.js parses the \fBHTTP_PROXY\fR, \fBHTTPS_PROXY\fR and \fBNO_PROXY\fR
environment variables during startup, and tunnels requests over the
environment variables during startup, and routes requests through the
specified proxy.
Use this only with proxies that are trusted and authorized for the deployment.
Proxy support is intended for reaching external networks through authorized
proxy servers, for example when a firewall requires one. It is not for hiding
traffic or evading network policy. See Built-in Proxy Support.
This can also be enabled using the \fB--use-env-proxy\fR command-line flag.
When both are set, \fB--use-env-proxy\fR takes precedence.
.
Expand Down
Loading