-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation regarding security issues and the status of Wasm proposals #3972
base: main
Are you sure you want to change the base?
Conversation
doc/security_need_to_know.md
Outdated
- Enables users to perform actions they should not be able to. | ||
- Allows users to deny actions they have performed. | ||
|
||
Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that Wasm modules ' execution is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wasm modules '
-> Wasm modules'
doc/security_need_to_know.md
Outdated
|
||
## managing a security issue | ||
|
||
Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](), *Report a security vulnerability* if it qualifies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing link for the cheat sheet
?
doc/security_need_to_know.md
Outdated
|
||
Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](), *Report a security vulnerability* if it qualifies. | ||
|
||
Upon receiving an issue, thoroughly review [the cheat sheet] to assess and *Report a security vulnerability* if the issue is indeed a security vulnerability . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above for the cheat sheet
doc/stability_wasm_proposals.md
Outdated
|
||
The _status_ represents the configuration _product-mini/platforms/linux/CMakeLists.txt_. There may be minor differences between the top-level CMakeLists and platform-specific CMakeLists. | ||
|
||
Users can turn those features on or off using compilation options. If a relevant compilation option is not available(`N/A`), it indicates that the feature is permanently enabled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
had better change using
to by using
?
doc/stability_wasm_proposals.md
Outdated
| Extended Constant Expressions | Yes | N/A | | ||
| Typed Function References | Yes | `WAMR_BUILD_GC` | | ||
| Thread | Yes | `WAMR_BUILD_SHARED_MEMORY` | | ||
| Exception handling[^2] | Yes | `WAMR_BUILD_EXCE_HANDLING` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is misleading because what we have is not the phase 4 version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I will move this one to unimplemented Wasm proposals
@@ -0,0 1,28 @@ | |||
# About security issues | |||
|
|||
This document aims to explain the process of identifying a security issue and the steps for managing a security issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the expected audiences and purposes of this document are not obvious to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The document is intended to:
- Clarify to the community and TSC which types of issues will be recognized as security issues.
- Provide a step-by-step guide on how to handle a security issue once it has been identified.
- Ensure maintainers distinguish security issues from all reported community issues and address them with caution.
- Encourage accurate reporting of security issues, rather than categorizing them as normal issues.
doc/stability_wasm_proposals.md
Outdated
| Legacy Exception handling[^2] | Yes | `WAMR_BUILD_EXCE_HANDLING` | | ||
| WebAssembly C and C API | No | N/A | | ||
|
||
[^1]: jit and aot only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to classify fast-jit and LLVM-jit?
…t" in the legacy exception handling note
No description provided.