Asad
Asad2mo ago

Deno permissions and security

Hello I see that deno provides allow net and filesystem - how can i restrict these things based on the file and not blanket on the sandbox? I.e. i have my code and user code - i want to restrict user code but allow my code to have access - user code may use apis defined in my code
14 Replies
marvinh.
marvinh.2mo ago
The permissions are on a process level. You can spawn user code in a child process and pass different permission args to the deno child process
Asad
AsadOP2mo ago
Then it would not be able to interop with parent process code right?
raunioroo
raunioroo2mo ago
Not directly. But you can implement some form of message passing between processes by for example reading and writing JSON lines to/from stdin/stdout. It's a bit involved but works great. Not that different from passing messages between main thread and a web worker. In fact, you should be able to do what @marvinh. suggested using web workers too. That can be slightly more efficient. Web workers inherit the permissions of you main code by default, but looks like you can override that. The manual says specifying permissions in web workers is unstable, idk, have not personally tried that. But look for "Specifying web worker permissions" in https://docs.deno.com/runtime/reference/web_platform_apis/ if interested (--unstable-worker-options seems to be the flag to enable overriding worker permissions)
Asad
AsadOP2mo ago
Marvin didnt say anything about web workers? So there would be an ipc proxy in between? User code tells ipc proxy i want to read file x That then forwards it to my app code that executes it and returns it to the user code via the ipc proxy? Something like that?
raunioroo
raunioroo2mo ago
I meant that you could do with web workers the same thing that marvinh suggested using child processes. I'm using child processes also for a similar-ish problem, not web workers, but just shared the thought web workers could work too Something like that I guess. Not sure what you mean by ipc proxy, though, it's quite direct cli input/output like any terminal app would do, just that there is no user it's between parent and child process. In main process, create a child process from user code, and keep reading that child process output in a streaming manner. As soon as you encounter a new line, parse the line as JSON, and do stuff based on the JSON message. Child process should of course output JSON that the main process understands (just like, console.log(JSON.stringify(stuff)) ); or whatever). Communication works the other way too; main process can write stuff to the child process, and the child process can read that just like it would read normal user input.
Asad
AsadOP2mo ago
How do you feed data to the child process from js deno though?
raunioroo
raunioroo2mo ago
Along the lines of 
const writer = childprocess.stdin.getWriter();
...
const json = JSON.stringify({...});
const data = (new TextEncoder()).encode(json + "\n");
writer.write(data);
const writer = childprocess.stdin.getWriter();
...
const json = JSON.stringify({...});
const data = (new TextEncoder()).encode(json + "\n");
writer.write(data);
Reading, I guess there are multiple more or less convoluted ways, but I do it along the lines of this. No promises this works; I hastily made this example by cutting and pasting from a more complex file, and I may have introduced some errors. But maybe it can get you started. TextLineStream is quite handy in breaking child process output to process them line by line as they come. 
import { TextLineStream } from "jsr:@std/streams@1.0.9/text-line-stream";

const stream = childprocess.stdout;

const tls = new TextLineStream();
const tds = new TextDecoderStream();
const reader = stream.pipeThrough(tds).pipeThrough(tls).getReader();

while (true) {
  const { done, value } = await reader.read();
  if (done) {
    break;
  }
  if (value) {
    const data = JSON.parse(value);
    // DO STUFF HERE
  }
}
import { TextLineStream } from "jsr:@std/streams@1.0.9/text-line-stream";

const stream = childprocess.stdout;

const tls = new TextLineStream();
const tds = new TextDecoderStream();
const reader = stream.pipeThrough(tds).pipeThrough(tls).getReader();

while (true) {
  const { done, value } = await reader.read();
  if (done) {
    break;
  }
  if (value) {
    const data = JSON.parse(value);
    // DO STUFF HERE
  }
}
Asad
AsadOP2mo ago
Hmmm Not sure if that is the way i want to go Thanks for the help though It is a tough ask If both codes are working in the same process how can one have different permission than the other Cant even do inter process communication using a file Since the app code will need file system access which will give the untrusted user code filesystem code access too
zamfofex
zamfofex2mo ago
The processes don’t have any constraints on what they can do, it’s the Deno runtime that can choose to allow/deny programs to exit the JS sandbox. In the case of workers, the runtime will allow the main thread to exit the sandbox, but deny the worker from doing so. You can use stdin/stdout (and stderr) of the subprocess for communication. But of course that means the subprocess won’t be able to use those streams as it normally would. I’m not sure if there is a way to set file descriptors other than 0,1,2 for child processes in Deno, but if that is possible, then that is a good alternative to hijacking the process’s std{in,out,err}.
raunioroo
raunioroo2mo ago
Yeah, I agree doing complex stuff with child processes with message passing is not fun. Can be done and works, but a lot of effort (I even do streaming of files between processes to avoid giving fs access to childs. that was a doozy to implement using json message passing, never again haha... ) Also agree with everything zamfofex said. You can't. Unless using web workers which are same process, but different threads. And turns out worker threads can have different permissions. But then, communication between threads (workers and main code) also happens via message passing - which is not that different from what you need to do if you were using child processes. A bit simpler with workers, but the same approach and can be similarly annoying to work with This I don't understand. You can and probably should do ipc via stdout/stdin. Or via files, if you give proper permissions to both processes. Child processes don't inherit permissions of parent, you definitely can specify them separately, and only give the child process access to the files it needs, nothing else.
Asad
AsadOP2mo ago
Can i do web workers server side? Or only in browser?
Zon
Zon2mo ago
https://docs.deno.com/examples/web_workers/
Deno
Web workers
In-depth documentation, guides, and reference materials for building secure, high-performance JavaScript and TypeScript applications with Deno
Zon
Zon2mo ago
it inherits the permission of the main process oh wait you can configure it
Asad
AsadOP2mo ago
Thanks for all the info!

Did you find this page helpful?