In section 7 of our paper we described our efforts at outreach to the Node.js community.
Here are links to those efforts.
- We wrote a guide for nodejs.org. Our guide describes how to avoid Event Handler Poisoning attacks in Node.js. Our pull request benefited from helpful feedback from community members.
- We partitioned the implementation of
fs.readFilein the corefsmodule. Before our change,fs.readFilewouldstatthe file and then submit a singlereadspanning the entire file. If the file were large, this would block the Worker Pool. Our pull request partitions the read into chunks, with the same overall memory cost but improved sharing of the Worker Pool. The pull request was accepted after a months-long discussion on the performance-security tradeoff involved. - We documented several "Vulnerable APIs", potential DoS vectors among the core APIs. These include fs.readFile (before our patch), crypto.randomBytes and crypto.randomFill, and child_process.spawn.