Skip to content

Commit c7c7e7f

Browse files
authored
docs: clarify proxy threat model (#5530)
Signed-off-by: Matteo Collina <hello@matteocollina.com>
1 parent 6de5935 commit c7c7e7f

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,17 @@ meet the following criteria:
8787
* Dependencies installed by the application.
8888
* The DNS resolution results provided by the operating system or configured
8989
resolvers.
90+
* The network environment in which the process runs, including any private or
91+
internal networks it can reach, for the privacy of traffic on that network.
92+
Deployments that require stronger isolation, monitoring, or egress controls
93+
are responsible for providing them.
94+
* Any proxy server configured by the application, runtime, or environment.
95+
Proxies are trusted network intermediaries and must be authorized by the
96+
relevant network or deployment authority. Undici's proxy support is for
97+
routing traffic through such proxies, for example to reach external networks
98+
through a firewall; it is not intended to provide anonymity, hide traffic, or
99+
bypass organizational, regulatory, or legal controls. Untrusted proxies are
100+
outside the supported threat model.
90101

91102
In other words, if untrusted data passing through undici to the application
92103
can trigger actions other than those documented for the APIs, there is likely
@@ -172,6 +183,16 @@ lead to a loss of confidentiality, integrity, or availability.
172183
input to request options) are the application's responsibility, not
173184
vulnerabilities in undici.
174185

186+
#### Unauthorized or untrusted proxy use
187+
188+
* If an application configures undici to use a proxy that is untrusted,
189+
malicious, or not authorized by the relevant network or deployment authority,
190+
any resulting privacy loss, policy bypass, regulatory exposure, traffic
191+
manipulation, or unavailability is the deployment's responsibility. Undici
192+
cannot determine whether a proxy is authorized for a user's network or
193+
jurisdiction, and preventing use of proxies to hide traffic or evade controls
194+
is a non-goal.
195+
175196
## Receiving security updates
176197

177198
Security notifications will be distributed via

0 commit comments

Comments
 (0)