Comments (8)
I think we might be able to make this work without relaxing the security sandbox -- we'll allow opening FD magic links on unix systems, but only if they are not stdio, and are pipes.
from deno.
With some changes in 1.43 this unfortunately requires --allow-all now, as we don't currently have a way to discriminate between pipes and files in /dev/fd
and /proc/self/fd
. I think we may be able to improve this situation.
from deno.
Looks like a lot more is now disallowed which is a big breaking change.
Here is an example from the docs:
$ deno run --allow-read=/etc https://deno.land/[email protected]/examples/cat.ts /etc/passwd
error: Uncaught (in promise) PermissionDenied: permission denied: open '/etc/passwd'
const file = await Deno.open(filename);
^
at Object.open (ext:deno_fs/30_fs.js:633:21)
at https://deno.land/[email protected]/examples/cat.ts:10:27
Moving from --allow-read
to --allow-all
is very questionable.
from deno.
I personally don't mind adding more granularity to the --allow flags (supposing some new flag will come to allow these extra use cases).
I just don't think it's a good idea to do it in Deno 1.x.
from deno.
Looks like a lot more is now disallowed which is a big breaking change.
Here is an example from the docs:
$ deno run --allow-read=/etc https://deno.land/[email protected]/examples/cat.ts /etc/passwd error: Uncaught (in promise) PermissionDenied: permission denied: open '/etc/passwd' const file = await Deno.open(filename); ^ at Object.open (ext:deno_fs/30_fs.js:633:21) at https://deno.land/[email protected]/examples/cat.ts:10:27Moving from
--allow-read
to--allow-all
is very questionable.
This has been relaxed by #23718 and will work again in v1.43.2.
I personally don't mind adding more granularity to the --allow flags (supposing some new flag will come to allow these extra use cases).
I just don't think it's a good idea to do it in Deno 1.x.
That's true, but we had to do it because of the security vulnerability that you can see at GHSA-23rx-c3g5-hv9w.
from deno.
Maybe supporting --allow-read=/dev/fd
or --allow-read=/proc/self/fd
is enough? User would be being explicit about it.
from deno.
@felipecrs Read access to /dev/fd
allows bypassing all kinds of --allow-*
permissions - so we are unlikely to reconsider for /dev/fd
or /dev/self/fd
. For more info, see: GHSA-23rx-c3g5-hv9w
from deno.
I see. -A
then. Feel free to close this issue.
from deno.
Related Issues (20)
- Installation of script results in panic when using JSR https specifier HOT 3
- support npm:dd-trace
- LSP errors if both `foo.js` and `foo.d.ts` exist with sloppy imports enabled HOT 1
- Deno has panicked: thread 'main' panicked at .. lib.rs:696:19
- Support for custom conditional exports in npm specifier
- [Bug] Segmentation fault with @poolifier/poolifier-web-worker Deno example HOT 6
- Error getting `process.uptime` when called without bound `this` HOT 3
- fetch() ignores RequestInit.referrer HOT 3
- [Rust 1.78/Homebrew] Deno 1.43.2 on MacOS crashes: segfaults, "already borrowed: BorrowMutError" HOT 6
- Deno 1.4.3 crashes when using `create-hono` HOT 1
- Homebrew segementation fault when creating Fresh project HOT 5
- Deno panics when using `npm:selenium-webdriver` HOT 1
- Deno panics: `serde_v8/de.rs` HOT 1
- Ref-count of an object
- `deno publish --dry-run` does not fail on triple-slash directives, while `deno publish` does.
- run-tim error: deno: /lib/aarch64-linux-gnu/libm.so.6: version `GLIBC_2.35' not found (required by deno) HOT 2
- Deno fails to use `npm` modules with "broken" previous versions
- Jupyter: Hints only pop up in the same cell. Variables are shown as unrecognized otherwise HOT 1
- [1.42.2] Panic in serde_v8-0.181.0/ser.rs:267:34 when building with -fstack-clash-protection HOT 2
- thread '<unnamed>' panicked at /build/.cargo/registry/src/index.crates.io-6f17d22bba15001f/serde_v8-0.181.0/de.rs:628:53 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deno.