foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 15:04:11 -05:00
Code Issues Packages 1 Wiki Activity

fix(permissions): disallow launching subprocess with LD_PRELOAD env var without full run permissions (#25221)

Browse source 
Ref https://github.com/denoland/deno/pull/25215

Closes https://github.com/denoland/deno/issues/11964
This commit is contained in:
David Sherret 2024-08-27 22:03:09 -04:00 committed by GitHub
parent b1b72a8a49
commit 1a6fd38f2f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 47 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
runtime/ops/process.rs
View file

@ -229,9 +229,23 @@ fn create_command(
mut args: SpawnArgs,
api_name: &str,
) -> Result<CreateCommand, AnyError> {
state
.borrow_mut::<PermissionsContainer>()
.check_run(&args.cmd, api_name)?;
{
let permissions = state.borrow_mut::<PermissionsContainer>();
permissions.check_run(&args.cmd, api_name)?;
// error the same on all platforms
if permissions.check_run_all(api_name).is_err()
&& (args.env.iter().any(|(k, _)| k.trim() == "LD_PRELOAD")
|| !args.clear_env
&& std::env::vars().any(|(k, _)| k.trim() == "LD_PRELOAD"))
{
// we don't allow users to launch subprocesses with the LD_PRELOAD
// env var set because this allows executing any code
return Err(deno_core::error::custom_error(
"PermissionDenied",
"Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable."
));
}
}
let mut command = std::process::Command::new(args.cmd);

14
tests/specs/run/ld_preload/__test__.jsonc Normal file
View file

@ -0,0 +1,14 @@
{
"tests": {
"env_arg": {
"args": "run --allow-run=echo env_arg.ts",
"output": "env_arg.out",
"exitCode": 1
},
"set_with_allow_env": {
"args": "run --allow-run=echo --allow-env set_with_allow_env.ts",
"output": "set_with_allow_env.out",
"exitCode": 1
}
}
}

4
tests/specs/run/ld_preload/env_arg.out Normal file
View file

@ -0,0 +1,4 @@
error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
}).spawn();
^
at [WILDCARD]

5
tests/specs/run/ld_preload/env_arg.ts Normal file
View file

@ -0,0 +1,5 @@
const output = new Deno.Command("echo", {
env: {
"LD_PRELOAD": "./libpreload.so",
},
}).spawn();

4
tests/specs/run/ld_preload/set_with_allow_env.out Normal file
View file

@ -0,0 +1,4 @@
error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
const output = new Deno.Command("echo").spawn();
^
at [WILDCARD]

3
tests/specs/run/ld_preload/set_with_allow_env.ts Normal file
View file

@ -0,0 +1,3 @@
Deno.env.set("LD_PRELOAD", "./libpreload.so");
const output = new Deno.Command("echo").spawn();