List security issues

[dougwilson]

From #220 (comment) we should come up with some method to responsibly list express versions and security issues somewhere. I don't know a lot about how security disclosures are done, so need input from an expert.

[dougwilson]

Per @elliotf my input is not required in this repo.

[dougwilson]

I'll reopen this, as I made my point :)

[hacksparrow]

👍 we really need this.

[crandmck]

I'd like to begin addressing this. Ideally, we could summarize known security issues (and fixes, if applicable) to each version: 2.x, 3.x, and 4.x. This could potentially be a time-sink, so I'd like to just make a start and clearly state that it's a partial/working list as a starting point.

[hacksparrow]

One "vulnerability" which was intrinsic to Express is express.bodyParser in 3.x. Everything else I can think of is either a Node vulnerability or standard web development vulnerability - XSS, CSRF etc.

@dougwilson, any suggestions?

[dougwilson]

I don't think we should list vulnerabilities introduced by bad usage patterns or we'll be here forever. bodyParser is an example of this, just like csurf, et. al.

I was originally talking about intrinsic vulnerabilities that has no way to work-around except to upgrade code because the code itself is just broken.

[hacksparrow]

OK, pointers on where to look for intrinsic vulnerabilities? History.md mentions only "Rosetta Flash JSONP abuse".

[dougwilson]

It mentions that we were not vulnerable to it :) I never listed vulnerability fixed in history, as it would bring attention to them. No list exists anywhere, which was the point of this issue; someone needs to research through every commit and all dependency commits to determine where security issues were fixed.

[hacksparrow]

Harrrr, that's gonna be one heck of a task. Wouldn't listing the vulnerabilities here defeat the practice of not listing them in history?