Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add a threat model for the project #21

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: add a threat model for the project #21

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8358d61
docs: add a threat model for the project
UlisesGascon Feb 20, 2025
3ebd5fd
Update SECURITY.md
UlisesGascon Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 78 additions & 2 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ When sending an email, please include:
- A description of the vulnerability and its potential impact.
- Any supporting information or proof of concept.

If a security vulnerability is deemed critical (e.g., actively exploited RCE), Yeoman maintainers may deploy an emergency fix outside the regular release cycle. If you identify an urgent issue, please flag it as "Critical - Immediate Attention Required" in your report.


### Coordinated Vulnerability Disclosure (CVD)

We also support [Coordinated Vulnerability Disclosure (CVD)](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). By following this process, we can collaborate on fixes and ensure vulnerabilities are not publicly disclosed until they are properly addressed.
Expand All @@ -37,8 +40,81 @@ We also support [Coordinated Vulnerability Disclosure (CVD)](https://en.wikipedi
- **Public Disclosure**: We coordinate with you on public disclosure only after a fix or mitigation is in place.
- **Researcher Recognition**: With your permission, we acknowledge security researchers in the public advisory after the fix.

### Acknowledgements

We appreciate and value the contributions of security researchers who take the time to responsibly disclose vulnerabilities. We can acknowledge your contribution (with your permission) once the fix is published, or you may remain anonymous if you prefer.
### Acknowledgements and Bug Bounty Program 💰

At this time, **Yeoman does not offer a bug bounty program** or monetary rewards for security vulnerability disclosures. However, we **greatly appreciate and recognize** the contributions of security researchers who responsibly disclose vulnerabilities.

If you report a valid security issue, we will acknowledge your contribution (with your permission) in public advisories once the fix is published. Alternatively, you may remain anonymous if you prefer.

Thank you for helping us maintain a secure environment across all [Yeoman](https://github.com/yeoman) repositories!

## Threat Model

The Yeoman threat model defines **trusted** and **untrusted** elements in the Yeoman ecosystem. All security vulnerabilities reported for any repository that the organization maintains are assessed within this context.

### Elements Yeoman Does NOT Trust
Yeoman **does not trust**:
- **User Input**: CLI arguments, interactive prompts, and configuration files.
- **Third-Party Generators**: Code from npm-installed generators unless officially maintained by Yeoman.
- **Remote Templates & Assets**: Files fetched from external sources during scaffolding.
- **Unvalidated Dependencies**: Packages installed dynamically during generator execution.

Since Yeoman does not inherently trust these elements, generator authors should ensure proper validation, sanitization, and security checks in their own implementations. This includes handling user input safely, verifying dependencies, and ensuring templates are fetched from trusted sources.

### Elements Yeoman Trusts
Yeoman **trusts**:
- **Node.js Runtime**: The JavaScript runtime and its security model.
- **Operating System**: The OS environment where Yeoman runs.
- **Official Yeoman Libraries**: Core packages such as `yo`, `generator-generator`, etc.
- **npm Registry**: We rely on the npm registry for package distribution but do not inherently trust all packages. Each generator should be carefully evaluated before use. Users are encouraged to audit dependencies and be aware of potential supply-chain risks.
- **Filesystem Integrity**: When reading/writing project templates, Yeoman assumes normal OS security constraints.

## Examples of Security Vulnerabilities

**Yeoman assesses vulnerabilities based on its threat model**.

If an issue arises due to insecure usage of untrusted components (e.g., an insecure third-party generator), it is generally the responsibility of the generator's maintainer. However, if Yeoman itself fails to properly mitigate risks when handling untrusted inputs, it may be considered a valid security issue.

If a generator creates an insecure project by default, it is the responsibility of the generator author. However, if Yeoman itself facilitates or encourages insecure practices in its official generators, it will be treated as a security concern.

Additionally, Yeoman expects users to review and customize the generated project according to their security requirements. While Yeoman provides a starting point, it is ultimately the responsibility of developers to assess and adjust configurations, dependencies, and security settings before deployment.

### Vulnerabilities
✅ **Remote Code Execution (CWE-94)**
- If Yeoman executes arbitrary untrusted code from generators without proper sandboxing.

✅ **Path Traversal (CWE-35)**
- If a generator allows users to write files outside the intended project directory via manipulated file paths.

✅ **Command Injection (CWE-78)**
- If user input can execute arbitrary shell commands inside a generator.

✅ **Insecure Template Handling (CWE-116)**
- If a generator fails to escape user input, leading to cross-site scripting (XSS) or HTML injection.

✅ **Prototype Pollution (CWE-1321)**
- If a generator allows modification of global JavaScript objects via user-controlled input.

✅ **Insecure Defaults in Core Libraries**
- If Yeoman itself ships with insecure defaults that expose users to vulnerabilities.

## Examples of Non-Vulnerabilities

### Not Considered Vulnerabilities
🚫 **Malicious Third-Party Generators (CWE-1357)**
- Yeoman does not vet all npm generators. If a third-party generator has malicious code, it is the responsibility of the generator’s maintainer.

🚫 **Insecure Default Templates**
- If a generator creates an insecure project (e.g., open CORS settings), this is not a Yeoman vulnerability, but an issue with the generator.
- Users are responsible for reviewing and securing generated projects. Yeoman provides scaffolding as a foundation, but security configurations should be assessed and customized before deployment.

🚫 **User-Defined Environment Variables**
- If a user sets insecure values in environment variables (e.g., modifying `PATH` to include malicious binaries), it is not a security issue in Yeoman.

🚫 **Dependencies with Known Vulnerabilities**
- If a generator uses a vulnerable npm package, the issue lies with the package maintainer, not Yeoman.

🚫 **Misconfigurations in User Code**
- If a developer misconfigures a generator leading to an insecure project setup, this is not considered a security vulnerability.