Skip to content

Commit

Permalink
doc: add revert doc (#5296)
Browse files Browse the repository at this point in the history
  • Loading branch information
killagu authored Feb 19, 2024
1 parent 15fb67b commit c5e53b8
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
18 changes: 18 additions & 0 deletions site/docs/core/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -668,3 +668,21 @@ This function scans the script tag in the template and automatically adds `nonce
For sites that do not open HTTPS, this function can be limited to preventing ISP hijacking.

[egg-view-nunjucks]: https://github.com/eggjs/egg-view-nunjucks

## Revert CVE


In the security fixes of node.js, there may be breaking changes. For example, in version 18.9.1, a security vulnerability was fixed, which caused some encryption-related code to not function properly. To address this issue, we provide a revert parameter, which is converted to the --security-revert parameter at startup, allowing the bypassing of the CVE fix.

```json
// package.json
{
"egg": {
// Supports two configuration methods
// One is to use a string directly, specifying a CVE
"revert": "CVE-2023-46809",
// The other is to use an array of strings, allowing the specification of multiple CVEs
"revert": [ "CVE-2023-46809" ]
}
}
```
17 changes: 17 additions & 0 deletions site/docs/core/security.zh-CN.md
Original file line number Diff line number Diff line change
Expand Up @@ -637,3 +637,20 @@ exports.security = {
对于未开启 HTTPS 的网站,此函数可以有效防止运营商劫持。

[egg-view-nunjucks]: https://github.com/eggjs/egg-view-nunjucks

## Revert CVE

在 node.js 的安全修复中可能会造成 Breaking change,例如在 18.9.1 版本中修复了一个安全漏洞,导致了一些加密相关的代码无法正常运行。为了解决这个问题,我们提供了一个 `revert` 的参数,在启动时转换为 `--security-revert` 参数,可以绕过 CVE 的修复。

```json
// package.json
{
"egg": {
// 支持两种配置方式
// 一种是直接使用字符串,指定一个 CVE
"revert": "CVE-2023-46809",
// 另一种是使用字符串数组,可以指定多个 CVE
"revert": [ "CVE-2023-46809" ]
}
}
```

0 comments on commit c5e53b8

Please sign in to comment.