D
Deno

help

Should we, or how should we, use Deno as a sandbox for untrusted code?

Ttmcw3/13/2023
I've been using Deno in this context because of some of the nice security model features. However, it's been tricky hitting snags with the model. For example, user's code runs in a WebWorker and has a specific environment with limited access to APIs. But there's no permission to enable/disable the creation of new Worker objects, so people can create a worker in the worker that has access to raw APIs. Is there a right way to do this?
IioB3/13/2023
so people can create a worker in the worker that has access to raw APIs
Could you clarify what you mean by this?
Ttmcw3/13/2023
Sure, so - even if I lock down the permissions of a worker to something like reading one particular file, and net: true, you can can create a worker in that worker to run code in a new context with a new scope, which is something i'd like to prevent. I suspect that ShadowRealms are the long-term solution to controlling this kind of scope, but for now it's not clear what a good solution would be. Like let's say I want to override fetch for user code, so i do that by controlling scope. Then, a user can create a worker and use the native fetch impl. i'm going to block access to Worker in scope, but I'm trying to learn whether there's a smarter way to solve this problem
IioB3/13/2023
workers should not be able to escalate permissions, this seems like a huge security issue if this actually works workers should only be able to spawn workers with the same permissions or less maybe i’m misunderstanding something about your question here?
AAttacler/Bart3/13/2023
i would suggest using deno subhosting because you still have stuff going on with CPU/RAM limits and ofc someone could use your service to DDOS some other url
IioB3/13/2023
^ if you want scale this is probably the right thing to do
AAttacler/Bart3/13/2023
or use isolated-vm, im using that one but its not deno
IioB3/13/2023
I think workers should just work There should be no exploits to escape the sandbox They could definitely ddos someone or bitcoin mine or whatever though so I’d be careful about that
Ttmcw3/13/2023
thanks, yeah - it's not quite escalation, but it's more like… controlling what's in scope for user code, and then being able to access those things like if you don't want people to be able to call, say, Deno.env or postMessage, you can put their code in a function that overrides those variable reference in scope, but they can use a worker to bail out of that i'm hunting around for things like this, that can restrict what user code can do, making parts of scope opt-in rather than opt-out
IioB3/13/2023
I see. I think the ShadowRealm API may be able to cover this use case but I’m not too sure
AAttacler/Bart3/13/2023
very intresting!
Bbartlomieju3/13/2023
just do globalThis.Worker = undefined? that would prevent creation of new workers also you'd want to remove some more stuff like Deno[Deno.internal] in that scope too 🙂
IioB3/14/2023
I did not think about that fair enough
Ttmcw3/14/2023
yeah, it's been a battle of slowly adding more and more things to function arguments like ((Worker, Deno) => {})() so that they're set as undefined in the function scope it seems like the ShadowRealm proposal is the perfect fix for this, though I'm not 100% sure on how it'll manage imported modules and whether that'll land anytime soon we'd also be a user of the noDenoNamespace option for workers, if that was still around

Looking for more? Join the community!

Recommended Posts
deno_bindgen type error: deno-ts(2345)Anyone else getting this with `deno_bindgen`? > Argument of type 'bigint' is not assignable to paramUsing Rust FFI in a public Deno moduleI'm writing a Deno module that I intend to publish on deno.land. It will be using a Rust library (puPublishing to deno.land/x: GitHub webhook says it's delivered?I followed these directions (https://deno.land/add_module) to publish a 3rd party module to deno.lanDeno tsWhenever i run my deno file using a ts config like this documentation describes: https://deno.land/Nvim deno tsserver conflictmy language servers are conflicting when i open a deno project, if i use `LspInfo` i can see both deDeno Docker - deno run --watch file.tsI am on a macbook m1, and i tried to dockerize deno from the official image and whenever i try doingWebSocket subprotocolsThis might be a bug: Deno's websocket implementation seems to have issues with [subprotocols](https:How can I create a linked [ReadableStream,WritableStream] pair?Hi, I have a function A which accepts a WritableStream and another function B which accepts a Readabhow to use esbuild_deno_loader for local file?i have `[join(tmpDir, './bundle.js')]` as entry point (resulting as string e.g. `c:\Users\User\AppDawindow variable in fresh islandsHow do I access `window` in islands? I need to modify DOM code client side.Warning Implicitly using latest version (0.178.0) for...Hello - Deno newb here. When running `deno task start` I get "Warning Implicitly using latest verHow to prevent std/http from gzipping and overriding EtagIt appears deno std/http applies gzip content-encoding magically sometimes depending on the type of Fresh in a Docker exiting processNot sure whats going wrong. Works fine on deno deploy. But when trying to run it inside a docker coneval script with stricter permissions in denoHi all, I wanted to know if its possible to eval a script in deno with more strict permissions. Somesolid-js with DenoI was wondering if it was possible to use solid-js with Deno natively without something like esbuildFeature Suggestion: Dark Mode for `std` library Docs.Deno's documentation is great. I find myself reading it more and more. I currently use a browser addRunning esbuild with esbuild_deno_loaderI've spent probably four or five hours trying to track down this issue, to the point where I actuall`fetch` request always fails onceHello, I got a script containing a `fetch` request. Once in a while, it throws the `connection closeSequentially write to TPC connectionHey, I experience errors when multiple async functions write to a TCP (`Deno.Conn`) connection. How I'd like to change the background colour of the `body` element in Fresh. How do I do that simply?(see title)