Threat Model question about Permission Model
4xpl0r3r opened this issue · comments
4xpl0r3r commented
According to the threat model, loaded code is trusted. What I want to know is, if a vulnerability is requireing monkey-patching to bypass the permission model, is it still recognized as a valid vulnerability? The response will direct my security research, thank you.
Rafael Gonzaga commented
Most of the time, yes. If you find a way to use the official require('fs')
module to bypass the capabilities imposed by the permission model, it is likely to be accepted. Important to note it should not be recognized as known limitation in https://nodejs.org/api/permissions.html#limitations-and-known-issues
4xpl0r3r commented
Thank you, I see.