doc: update threat model based on discussions

mhdawson · MylesBorins · commit 33a98c42faef · 2023-02-18T15:58:28.000-05:00
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #46373 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -82,14 +82,22 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 
 **Node.js does NOT trust**:
 
-1. The data from network connections that are created through the use of Node.js
-   APIs and which is transformed/validated by Node.js before being passed to the
-   application. This includes:
-   * HTTP APIs (all flavors) client and server APIs.
+1. Data received from the remote end of inbound network connections
+   that are accepted through the use of Node.js APIs and
+   which is transformed/validated by Node.js before being passed
+   to the application. This includes:
+   * HTTP APIs (all flavors) server APIs.
+2. The data received from the remote end of outbound network connections
+   that are created through the use of Node.js APIs and
+   which is transformed/validated by Node.js before being passed
+   to the application EXCEPT in respect to payload length. Node.js trusts
+   that applications make connections/requests which will avoid payload
+   sizes that will result in a Denial of Service.
+   * HTTP APIs (all flavors) client APIs.
    * DNS APIs.
-2. Consumers of data protected through the use of Node.js APIs (for example
+3. Consumers of data protected through the use of Node.js APIs (for example
    people who have access to data encrypted through the Node.js crypto APIs).
-3. The file content or other I/O that is opened for reading or writing by the
+4. The file content or other I/O that is opened for reading or writing by the
    use of Node.js APIs (ex: stdin, stdout, stderr).
 
 In other words, if the data passing through Node.js to/from the application
@@ -181,6 +189,13 @@ the community they pose.
   no scenario that requires modification of that configuration file is
   considered a vulnerability.
 
+#### Uncontrolled Resource Consumption (CWE-400) on outbound connections
+
+* If Node.js is asked to connect to a remote site and return an
+  artifact, it is not considered a vulnerability if the size of
+  that artifact is large enough to impact performance and or
+  cause the runtime to run out of resources.
+
 ## Receiving security updates
 
 Security notifications will be distributed via the following methods.
