Aziz•15mo ago

Inquiry Regarding Deno Security Model and Command Injection Vulnerability

I am currently instructing a class on software security and have been exploring Deno's security model as part of our curriculum. One of the noteworthy features of Deno is its permission-based security model, which I understand should inherently provide a level of defense against unauthorized read and write operations, especially through command injections? To illustrate, I've been working with a piece of code that does not have explicit read or write permissions. However, during our exploration, we've observed that it still seems possible to perform read and write operations through command injection, contrary to our initial understanding of Deno’s security guarantees.

import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
    cmd: ["sh", "-c", `ping -c 4 ${ip}`],
    stdout: "piped",
    stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
    cmd.status(),
    cmd.output(),
    cmd.stderrOutput(),
]);

if (status.success) {
    const result = new TextDecoder().decode(stdout);
    //send result to client
    context.response.body = result;
} else {
    const error = new TextDecoder().decode(stderr);
    console.log(error);
}
    }
);

import { Application, Router } from "https://deno.land/x/oak/mod.ts";
import { exec } from "https://deno.land/x/exec/mod.ts";


const app = new Application();
const router = new Router();

// Serve static files from the current directory

const cmd = await Deno.run({
    cmd: ["sh", "-c", `ping -c 4 ${ip}`],
    stdout: "piped",
    stderr: "piped",
});

const [status, stdout, stderr] = await Promise.all([
    cmd.status(),
    cmd.output(),
    cmd.stderrOutput(),
]);

if (status.success) {
    const result = new TextDecoder().decode(stdout);
    //send result to client
    context.response.body = result;
} else {
    const error = new TextDecoder().decode(stderr);
    console.log(error);
}
    }
);

running this through

deno run --allow-net --allow-env --allow-run   indexSecure.js

deno run --allow-net --allow-env --allow-run   indexSecure.js

does not prevent read/write via command injection : localhost:3000/ping?ip=google.com; echo hello > hi.txt This is question for education purpose. As I said, I am teaching a security class and would like to undersand the depth of security that deno offer. It seems that even without a read/write permission, program can read and write though executing bash script ? Thanks

4 Replies

javi•15mo ago

I do not fully understand your question. By running deno with --allow-net and --allow-run you're giving explicit permision for deno to access all network features and run commands. You can narrow down these permissions by using the following syntax: --allow-read=.env,main.bin You should also sanitize the user input, interpolating a script and executing whatever was fed into is not the way to go <:cookie_deno:1002977285734932480>

AzizOP•15mo ago

Thanks for replying! My question is, if i run deno with

--allow-run

--allow-run

, program can do read/write through the command line, right? Thus

--allow-run

--allow-run

is equivalent to

allow-all

allow-all

in that sense, right ? I am just teaching a security class, that the lesson I am trying to teachthe the students 🙂

javi•15mo ago

Well yes and no. If the user controls the command executed, yes. It’s the same as —allow-ffi. If you grant that, FFI can be used, essentially overcoming all sandbox features

cknight•15mo ago

From the docs:

Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process.

Thus cli permission flags don't apply when running subprocesses and you are effectively allowing all for them.