docs: update threatmodel

[jasonsaayman]

Summary by cubic

Refreshes THREATMODEL.md to document recently shipped hardening and clarify residual risks, covering multipart per‑part header injection defenses, read‑side prototype‑pollution gadgets, stricter NO_PROXY parsing, decompression limits (including stream responses), and a new form‑data recursion DoS limit.

Description

Use this section for review hints, explanations or discussion points.

• Summary of changes
  • T-R3: Added multipart per‑part header injection coverage; documented formDataToStream CRLF/name sanitization.
  • T-R4: Split into write‑side and new read‑side gadgets (T‑R4b); noted hasOwnProp guards in mergeConfig, defaults, adapters, and config resolution.
  • T-R5: Clarified decompression bomb protections for buffered and responseType: 'stream'; noted request‑side limits and the redirect edge case fix.
  • T-R9: Hardened NO_PROXY handling for CIDR, IPv6 literals, and wildcards.
  • T-R11: Added form‑data recursion DoS with formSerializer.maxDepth default and error behavior.
  • Non‑goals: Narrowed to “fully compromised caller,” while noting defenses for polluted prototypes from transitive deps.
  • Supply chain: Updated T‑S1/T‑S6 gaps (path‑scoped CODEOWNERS); refreshed the risk summary table.
• Reasoning
  • Keep the threat model aligned with shipped mitigations and current behavior.
• Additional context
  • References GHSA fixes where relevant. Docs‑only; no runtime changes.

Docs

• Cross‑link /docs/pages/misc/security.md to the updated sections in THREATMODEL.md.
• Document formSerializer.maxDepth in:
  • /docs/pages/advanced/multipart-form-data-format.md
  • /docs/pages/advanced/x-www-form-urlencoded-format.md
• Add a short “Security limits” snippet (maxContentLength/maxBodyLength) to the Node usage page and link to the threat model.

Testing

• No tests added or modified (documentation‑only).
• No additional tests needed.

Semantic version impact

• No code changes. No release required.

^{Written for commit 24cddeb. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 1 file

Confidence score: 4/5

• This PR looks safe to merge with minimal risk, since the only reported issue is a documentation consistency problem rather than a functional regression.
• In THREATMODEL.md, the T-S3 summary says “🟢 Good” while the detailed T-S3 section still lists unresolved policy gaps, which can mislead readers about the actual risk posture.
• Because the issue is moderate-low severity (4/10) and limited to internal threat-model reporting, impact is mainly decision-making clarity rather than runtime behavior.
• Pay close attention to THREATMODEL.md - align the T-S3 summary status with the detailed section so policy gaps are represented consistently.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="THREATMODEL.md">

<violation number="1" location="THREATMODEL.md:455">
P2: The T-S3 summary row now reports “🟢 Good” with no priority gap, but the detailed T-S3 section still documents unresolved policy gaps; this makes the risk posture internally inconsistent.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}