From 456215e6f446c53dee6154e143fef85fcac27b0e Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon, 28 Jul 2025 15:39:20 -0300
Subject: [PATCH] doc: add path.join and path.normalize clarification

This commit adds explicit clarification to the Node.js threat model
that path manipulation functions such as path.join() and
path.normalize()
trust their input. Issues related to these functions that rely on
unsanitized input are not considered vulnerabilities requiring CVEs.
---
 SECURITY.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index c023dcd2aaf81f..d5cc79095371e3 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -179,6 +179,11 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   See <https://nodejs.org/api/modules.html#all-together>.
 * The `node:wasi` module does not currently provide the comprehensive file
   system security properties provided by some WASI runtimes.
+* The execution path is trusted. Additionally, Node.js path manipulation functions
+  such as `path.join()` and `path.normalize()` trust their input. Reports about issues
+  related to these functions that rely on unsanitized input are not considered vulnerabilities
+  requiring CVEs, as it's the user's responsibility to sanitize path inputs according to
+  their security requirements.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via