Aziz
Inquiry Regarding Deno Security Model and Command Injection Vulnerability
I am currently instructing a class on software security and have been exploring Deno's security model as part of our curriculum. One of the noteworthy features of Deno is its permission-based security model, which I understand should inherently provide a level of defense against unauthorized read and write operations, especially through command injections?
To illustrate, I've been working with a piece of code that does not have explicit read or write permissions. However, during our exploration, we've observed that it still seems possible to perform read and write operations through command injection, contrary to our initial understanding of Deno’s security guarantees.
running this through
does not prevent read/write via command injection : localhost:3000/ping?ip=google.com; echo hello > hi.txt
This is question for education purpose. As I said, I am teaching a security class and would like to undersand the depth of security that deno offer. It seems that even without a read/write permission, program can read and write though executing bash script ?
Thanks
7 replies