Aziz
Aziz10mo ago

Inquiry Regarding Deno Security Model and Command Injection Vulnerability

I am currently instructing a class on software security and have been exploring Deno's security model as part of our curriculum. One of the noteworthy features of Deno is its permission-based security model, which I understand should inherently provide a level of defense against unauthorized read and write operations, especially through command injections? To illustrate, I've been working with a piece of code that does not have explicit read or write permissions. However, during our exploration, we've observed that it still seems possible to perform read and write operations through command injection, contrary to our initial understanding of Deno’s security guarantees.
import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
cmd: ["sh", "-c", `ping -c 4 ${ip}`],
stdout: "piped",
stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
cmd.status(),
cmd.output(),
cmd.stderrOutput(),
]);

if (status.success) {
const result = new TextDecoder().decode(stdout);
//send result to client
context.response.body = result;
} else {
const error = new TextDecoder().decode(stderr);
console.log(error);
}
}
);
import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
cmd: ["sh", "-c", `ping -c 4 ${ip}`],
stdout: "piped",
stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
cmd.status(),
cmd.output(),
cmd.stderrOutput(),
]);

if (status.success) {
const result = new TextDecoder().decode(stdout);
//send result to client
context.response.body = result;
} else {
const error = new TextDecoder().decode(stderr);
console.log(error);
}
}
);
running this through
deno run --allow-net --allow-env --allow-run indexSecure.js
deno run --allow-net --allow-env --allow-run indexSecure.js
does not prevent read/write via command injection : localhost:3000/ping?ip=google.com; echo hello > hi.txt This is question for education purpose. As I said, I am teaching a security class and would like to undersand the depth of security that deno offer. It seems that even without a read/write permission, program can read and write though executing bash script ? Thanks
4 Replies
javi
javi10mo ago
I do not fully understand your question. By running deno with --allow-net and --allow-run you're giving explicit permision for deno to access all network features and run commands. You can narrow down these permissions by using the following syntax: --allow-read=.env,main.bin You should also sanitize the user input, interpolating a script and executing whatever was fed into is not the way to go <:cookie_deno:1002977285734932480>
Aziz
Aziz10mo ago
Thanks for replying! My question is, if i run deno with
--allow-run
--allow-run
, program can do read/write through the command line, right? Thus
--allow-run
--allow-run
is equivalent to
allow-all
allow-all
in that sense, right ? I am just teaching a security class, that the lesson I am trying to teachthe the students 🙂
javi
javi10mo ago
Well yes and no. If the user controls the command executed, yes. It’s the same as —allow-ffi. If you grant that, FFI can be used, essentially overcoming all sandbox features
cknight
cknight10mo ago
From the docs:
Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process.
Thus cli permission flags don't apply when running subprocesses and you are effectively allowing all for them.