青岛移动端
编辑 | blame | 历史 | 原始文档

Threat Model for resolve (module path resolution library)

1. Library Overview

  • Library Name: resolve
  • Brief Description: Implements Node.js require.resolve() algorithm for synchronous and asynchronous file path resolution. Used to locate modules and files in Node.js projects.
  • Key Public APIs/Functions: resolve.sync() / resolve/sync, resolve() / resolve/async

2. Define Scope

This threat model focuses on the core path resolution algorithm, including filesystem interaction, option handling, and cache management.

3. Conceptual System Diagram

Caller Application → resolve(id, options) → Resolution Algorithm → File System
                           │
                           └→ Options Handling
                           └→ Cache System

Trust Boundaries:
- Input module IDs: May come from untrusted sources (user input, configuration)
- Filesystem access: The library interacts with the filesystem to resolve paths
- Options: Provided by the caller
- Cache: Used to improve performance, but could be a vector for tampering or information disclosure if not handled securely

4. Identify Assets

  • Integrity of resolution output: Ensure correct and safe file path matching.
  • Confidentiality of configuration: Prevent sensitive path information from being leaked.
  • Availability/performance for host application: Prevent crashes or resource exhaustion.
  • Security of host application: Prevent path traversal or unintended filesystem access.
  • Reputation of library: Maintain trust by avoiding supply chain attacks and vulnerabilities[1][3][4].

5. Identify Threats

Component / API / Interaction S T R I D E
Public API Call (resolve/async, resolve/sync)
Filesystem Access
Options Handling
Cache System

Key Threats:
- Spoofing: Malicious module IDs mimicking legitimate packages, or spoofing configuration options[1].
- Tampering: Caller-provided paths altering resolution order, or cache tampering leading to incorrect results[1][4].
- Information Disclosure: Error messages revealing filesystem structure or sensitive paths[1].
- Denial of Service: Recursive or excessive resolution exhausting filesystem handles or causing application crashes[1].
- Path Traversal: Malicious input allowing access to files outside the intended directory[4].

6. Mitigation/Countermeasures

Threat Identified Proposed Mitigation
Spoofing (malicious module IDs/config) Sanitize input IDs; validate against known patterns; restrict basedir to app-controlled paths[1][4].
Tampering (path traversal, cache) Validate input IDs for directory escapes; secure cache reads/writes; restrict cache to trusted sources[1][4].
Information Disclosure (error messages) Generic "not found" errors without internal paths; avoid exposing sensitive configuration in errors[1].
Denial of Service (resource exhaustion) Limit recursive resolution depth; implement timeout; monitor for excessive filesystem operations[1].

7. Risk Ranking

  • High: Path traversal via malicious IDs (if not properly mitigated)
  • Medium: Cache tampering or spoofing (if cache is not secured)
  • Low: Information disclosure in errors (if error handling is generic)

8. Next Steps & Review

  1. Implement input sanitization for module IDs and configuration.
  2. Add resolution depth limiting and timeout.
  3. Audit cache handling for race conditions and tampering.
  4. Regularly review dependencies for vulnerabilities.
  5. Keep documentation and threat model up to date.
  6. Monitor for new threats as the ecosystem and library evolve[1][3].