meta: clarify V8 flags are outside threat model#64224
Conversation
|
Review requested:
|
| Node.js may expose V8 features that are controlled by `--harmony` flags | ||
| (e.g., `--harmony-optional-chaining`, `--harmony-shadowrealm`). These flags |
There was a problem hiding this comment.
--harmony is deprecated terminology in V8, and new features haven't used it for some time. I would suggest something like
Node.js may expose in-development V8 features that are only available via
--js-*or--harmony-*runtime flags (e.g.,--js-decorators,--harmony-shadowrealm).
--js-staging is the new global flag equivalent of --harmony.
|
|
||
| ### Experimental features behind `--harmony` flags | ||
|
|
||
| Node.js may expose V8 features that are controlled by `--harmony` flags |
There was a problem hiding this comment.
In light of V8 flags, we should explicitly exclude all V8 flags from the security model. For example, the following V8 flags are much more vulnerable than experimental JS features:
--allow-natives-syntaxexposes%DeoptimizeFunction,%CollectGarbage, and hundreds of other runtime intrinsics that can corrupt heap state or leak internal objects.--predictabledisables all non-determinism including randomized allocations, weakening ASLR-style protections.
There are a bunch of V8 flags in additional to these that make the process more vulnerable.
8121e3f to
7bd2473
Compare
7bd2473 to
282c386
Compare
aduh95
left a comment
There was a problem hiding this comment.
This repeats most if not all of the Experimental features behind compile-time flags section. I wonder if we could simply merge the two sections, i.e. Experimental features behind compile-time flags and V8 runtime flags
Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Chengzhong Wu <legendecas@gmail.com>
03cbcc0 to
2e17b72
Compare
We cannot be responsible for V8 experimental features in case they cause security problems.