nodejs
doc: add alert on REPL from TCP socket
Initially, I was considering removing this example:
net.createServer((socket) => {
connections += 1;
repl.start({
prompt: 'Node.js via TCP socket> ',
input: socket,
output: socket,
}).on('exit', () => {
socket.end();
});
}).listen(5001);
But it does expose some of the possibilities of Node.js REPL. So, instead of removing it from our examples, I've included an alert for its usage in production.
cc: @mcollina
Refs: https://hackerone.com/reports/2684357
A HackerOne report was linked, so I've added the security label.
CC @nodejs/repl
We should also add the REPL to the Node.js Threat Model, no?
I'm not sure there is anything special about it. What should we add?
I don't have access to the H1 report but from the little context shared here I was under the impression that maybe someone reported a security issue related to the REPL. If so and we deem the REPL as out of scope for valid CVEs then I suggested that we add it to the threat model as a criteria that we don't accept reports for.
I don't have access to the H1 report but from the little context shared here I was under the impression that maybe someone reported a security issue related to the REPL. If so and we deem the REPL as out of scope for valid CVEs then I suggested that we add it to the threat model as a criteria that we don't accept reports for.
Actually no. It's just about exposing a Node.js REPL via network. There's nothing specific to REPL itself.
