D
Deno

help

Inquiry Regarding Deno Security Model and Command Injection Vulnerability

AAziz9/29/2023
I am currently instructing a class on software security and have been exploring Deno's security model as part of our curriculum. One of the noteworthy features of Deno is its permission-based security model, which I understand should inherently provide a level of defense against unauthorized read and write operations, especially through command injections? To illustrate, I've been working with a piece of code that does not have explicit read or write permissions. However, during our exploration, we've observed that it still seems possible to perform read and write operations through command injection, contrary to our initial understanding of Deno’s security guarantees.
import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
cmd: ["sh", "-c", `ping -c 4 ${ip}`],
stdout: "piped",
stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
cmd.status(),
cmd.output(),
cmd.stderrOutput(),
]);

if (status.success) {
const result = new TextDecoder().decode(stdout);
//send result to client
context.response.body = result;
} else {
const error = new TextDecoder().decode(stderr);
console.log(error);
}
}
);
import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
cmd: ["sh", "-c", `ping -c 4 ${ip}`],
stdout: "piped",
stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
cmd.status(),
cmd.output(),
cmd.stderrOutput(),
]);

if (status.success) {
const result = new TextDecoder().decode(stdout);
//send result to client
context.response.body = result;
} else {
const error = new TextDecoder().decode(stderr);
console.log(error);
}
}
);
running this through
deno run --allow-net --allow-env --allow-run indexSecure.js
deno run --allow-net --allow-env --allow-run indexSecure.js
does not prevent read/write via command injection : localhost:3000/ping?ip=google.com; echo hello > hi.txt This is question for education purpose. As I said, I am teaching a security class and would like to undersand the depth of security that deno offer. It seems that even without a read/write permission, program can read and write though executing bash script ? Thanks
Jjavi9/29/2023
I do not fully understand your question. By running deno with --allow-net and --allow-run you're giving explicit permision for deno to access all network features and run commands. You can narrow down these permissions by using the following syntax: --allow-read=.env,main.bin You should also sanitize the user input, interpolating a script and executing whatever was fed into is not the way to go <:cookie_deno:1002977285734932480>
AAziz9/29/2023
Thanks for replying! My question is, if i run deno with
--allow-run
--allow-run
, program can do read/write through the command line, right? Thus
--allow-run
--allow-run
is equivalent to
allow-all
allow-all
in that sense, right ? I am just teaching a security class, that the lesson I am trying to teachthe the students 🙂
Jjavi9/29/2023
Well yes and no. If the user controls the command executed, yes. It’s the same as —allow-ffi. If you grant that, FFI can be used, essentially overcoming all sandbox features
Ccknight9/29/2023
From the docs:
Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process.
Thus cli permission flags don't apply when running subprocesses and you are effectively allowing all for them.

Looking for more? Join the community!

Recommended Posts
`WARNING: v8::OwnedIsolate for snapshot was leaked` and/or crash after using snapshotOn startup, I create a runtime: ```rust let js_runtime = JsRuntimeForSnapshot::new(deno_corOak: Remove HTML extensions when serving filesUsing Oak, how can I serve `home.html` as `/home` (or `/home/`). I'm aware that `Context#send` existdeno_console not being properly instantiated?Not sure if it's indended, or if I am missing a step, but several core extensions, for example the dTailwind nonfunctional on fresh-update from 1.3.1 -> 1.4.3After running `deno run -A -r https://fresh.deno.dev/update .` on my project, the tailwind styles doassertEquals deprecated in vscode?Since upgrading to std@0.202.0 I'm seeing that assertEquals is marked deprecated, but I can't see whForce await import() to import a fresh copy?I have a Deno instance that dynamically loads a module with: `await import("some/module.js")` The mFresh ClassList Brokenhttps://github.com/Leave TLS connection open in between testsWhen I have 2 tests that use a database connection and attempt to close the connection `afterAll` thNvim tsserver clash with denolsI have read the docs and added a root_dir in my lua lsp file but for some reason tsserver still lanccircular type reference nonsensewhy does removing an array nest cause this to be a circular dependency?? shouldn't it be functionallGetting exports from an evaluated module with get_module_namespace always results in null valuesTrying to get module exports like the example [here](https://github.com/denoland/deno/pull/14026/fiIs there any way to define a signal inside a route component?Is there any way to define a signal inside a route component? I am trying to do it but an error raiDeno EmitHow come does `deno bundle` work a lot differently to Deno emit (https://deno.land/x/emit@0.28.0 )? `deno lsp` does not understand bare imports without prefixEven in minimal project, freshly created from a template, Deno marks imports as errors and doesn't u