Comments (8)
I think we might be able to make this work without relaxing the security sandbox -- we'll allow opening FD magic links on unix systems, but only if they are not stdio, and are pipes.
from deno.
With some changes in 1.43 this unfortunately requires --allow-all now, as we don't currently have a way to discriminate between pipes and files in /dev/fd
and /proc/self/fd
. I think we may be able to improve this situation.
from deno.
Looks like a lot more is now disallowed which is a big breaking change.
Here is an example from the docs:
$ deno run --allow-read=/etc https://deno.land/[email protected]/examples/cat.ts /etc/passwd
error: Uncaught (in promise) PermissionDenied: permission denied: open '/etc/passwd'
const file = await Deno.open(filename);
^
at Object.open (ext:deno_fs/30_fs.js:633:21)
at https://deno.land/[email protected]/examples/cat.ts:10:27
Moving from --allow-read
to --allow-all
is very questionable.
from deno.
I personally don't mind adding more granularity to the --allow flags (supposing some new flag will come to allow these extra use cases).
I just don't think it's a good idea to do it in Deno 1.x.
from deno.
Looks like a lot more is now disallowed which is a big breaking change.
Here is an example from the docs:
$ deno run --allow-read=/etc https://deno.land/[email protected]/examples/cat.ts /etc/passwd error: Uncaught (in promise) PermissionDenied: permission denied: open '/etc/passwd' const file = await Deno.open(filename); ^ at Object.open (ext:deno_fs/30_fs.js:633:21) at https://deno.land/[email protected]/examples/cat.ts:10:27Moving from
--allow-read
to--allow-all
is very questionable.
This has been relaxed by #23718 and will work again in v1.43.2.
I personally don't mind adding more granularity to the --allow flags (supposing some new flag will come to allow these extra use cases).
I just don't think it's a good idea to do it in Deno 1.x.
That's true, but we had to do it because of the security vulnerability that you can see at GHSA-23rx-c3g5-hv9w.
from deno.
Maybe supporting --allow-read=/dev/fd
or --allow-read=/proc/self/fd
is enough? User would be being explicit about it.
from deno.
@felipecrs Read access to /dev/fd
allows bypassing all kinds of --allow-*
permissions - so we are unlikely to reconsider for /dev/fd
or /dev/self/fd
. For more info, see: GHSA-23rx-c3g5-hv9w
from deno.
I see. -A
then. Feel free to close this issue.
from deno.
Related Issues (20)
- fails to import a module because of invalid utf8 sequence from npm packages HOT 5
- Missing indentation for named JSDoc examples
- `deno repl` takes upwards of 8 seconds to start due to randomly going through files. HOT 3
- Bare specifier resolution error message should include a hint to `deno add` the specifier
- Create flag `--workspace` to the command `deno add`
- Add test for lsp changes with `no-unused-vars`
- .npmrc: doesn't work with the LSP
- feat: `deno fmt` should inline code when `lineWidth` allows it. HOT 1
- LSP: import specifier autocompletion from import map is broken
- Bug in deno publish --dry-run with super expression and spread syntax
- `setTimeout` is not running as expected when using `prompt()` HOT 7
- Extremely high memory usage
- OOME new in Deno 1.44 HOT 1
- v1.44.0 gRPC client support doesn't work
- ext/node: net.BlockList needs to be implemented for dd-trace
- node:diagnostic_channel misses `DiagnosticChannel::tracingChannel` API
- Cannot read properties of undefined (reading 'env') HOT 1
- Allow classes with `fetch` method for `deno serve`.
- thread 'worker-2' panicked at cli/npm/managed/resolution.rs:231:72: called `Option::unwrap()` on a `None` value HOT 6
- Uncaught SyntaxError: Unexpected reserved word HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deno.