doc: add check for security reverts

mhdawson · richardlau · commit a09f440dbd9a · 2024-03-25T19:24:03.000Z
- Add step to check that any PRs with breaking changes have command line options to revert - Add info on how to easily add command line option to revert a breaking change related to a CVE Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #51376 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
@@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js
 
 * [ ] Check that all vulnerabilities are ready for release integration:
   * PRs against all affected release lines or cherry-pick clean
+  * PRs with breaking changes have a
+    [--security-revert](#Adding-a-security-revert-option) option if possible.
   * Approved
   * (optional) Approved by the reporter
     * Build and send the binary to the reporter according to its architecture
@@ -223,6 +225,54 @@ out a better way, forward the email you receive to
   [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
   If necessary add the next rotation of the steward rotation.
 
+## Adding a security revert option
+
+Breaking changes are allowed in existing LTS lines in order to fix
+important security vulnerabilities. When breaking changes are made
+it is important to provide a command line option that restores
+the original behaviour.
+
+The existing Node.js codebase supports the command line
+option `--security-revert` and has the boilerplate to make additions
+for a specific CVE easy.
+
+To add an option to revert for a CVE, for example `CVE-2024-1234`
+simply add this line to
+[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h)
+
+```c
+  XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")
+```
+
+This will allow an easy check of whether a reversion has been
+requested or not.
+
+In JavaScript code you can check:
+
+```js
+if (process.REVERT_CVE_2024_1234);
+```
+
+In C/C++ code you can check:
+
+```c
+IsReverted(SECURITY_REVERT_CVE_2024_1234)
+```
+
+From the command line a user can request the revert by using
+the `--security-revert` option as follows:
+
+```console
+node --security-revert=CVE-2024-1234
+```
+
+If there are multiple security reverts then multiple instances
+of --security-revert can be used. For example:
+
+```console
+node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX
+```
+
 ## When things go wrong
 
 ### Incomplete fixes
