mirror of
https://github.com/denoland/deno.git
synced 2024-11-24 15:19:26 -05:00
feat: warn when using --allow-run
with no allow list (#25215)
This commit is contained in:
parent
f7ddea3af7
commit
b0525edd6f
11 changed files with 46 additions and 11 deletions
|
@ -809,6 +809,8 @@ impl CliOptions {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
warn_insecure_allow_run_flags(&flags);
|
||||||
|
|
||||||
let maybe_lockfile = maybe_lockfile.filter(|_| !force_global_cache);
|
let maybe_lockfile = maybe_lockfile.filter(|_| !force_global_cache);
|
||||||
let deno_dir_provider =
|
let deno_dir_provider =
|
||||||
Arc::new(DenoDirProvider::new(flags.cache_path.clone()));
|
Arc::new(DenoDirProvider::new(flags.cache_path.clone()));
|
||||||
|
@ -1688,6 +1690,27 @@ impl CliOptions {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Warns for specific uses of `--allow-run`. This function is not
|
||||||
|
/// intended to catch every single possible insecure use of `--allow-run`,
|
||||||
|
/// but is just an attempt to discourage some common pitfalls.
|
||||||
|
fn warn_insecure_allow_run_flags(flags: &Flags) {
|
||||||
|
let permissions = &flags.permissions;
|
||||||
|
if permissions.allow_all {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
let Some(allow_run_list) = permissions.allow_run.as_ref() else {
|
||||||
|
return;
|
||||||
|
};
|
||||||
|
|
||||||
|
// discourage using --allow-run without an allow list
|
||||||
|
if allow_run_list.is_empty() {
|
||||||
|
log::warn!(
|
||||||
|
"{} --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)",
|
||||||
|
colors::yellow("Warning")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// Resolves the path to use for a local node_modules folder.
|
/// Resolves the path to use for a local node_modules folder.
|
||||||
fn resolve_node_modules_folder(
|
fn resolve_node_modules_folder(
|
||||||
cwd: &Path,
|
cwd: &Path,
|
||||||
|
|
|
@ -17,9 +17,7 @@ if (import.meta.main) {
|
||||||
"--config",
|
"--config",
|
||||||
Deno.realPathSync("../config/deno.json"),
|
Deno.realPathSync("../config/deno.json"),
|
||||||
"--no-lock",
|
"--no-lock",
|
||||||
"--allow-read",
|
"-A",
|
||||||
"--allow-run",
|
|
||||||
"--allow-ffi",
|
|
||||||
"--unstable-ffi",
|
"--unstable-ffi",
|
||||||
import.meta.url,
|
import.meta.url,
|
||||||
],
|
],
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)
|
||||||
NotCapable: Requires run access to "deno", run again with the --allow-run flag
|
NotCapable: Requires run access to "deno", run again with the --allow-run flag
|
||||||
at [WILDCARD] {
|
at [WILDCARD] {
|
||||||
name: "NotCapable"
|
name: "NotCapable"
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
Running...
|
Running...
|
||||||
NotCapable: Requires run access to "deno", run again with the --allow-run flag
|
NotCapable: Requires run access to "binary", run again with the --allow-run flag
|
||||||
[WILDCARD]
|
[WILDCARD]
|
||||||
at file:///[WILDLINE]/sub.ts:15:5 {
|
at file:///[WILDLINE]/sub.ts:15:5 {
|
||||||
name: "NotCapable"
|
name: "NotCapable"
|
||||||
}
|
}
|
||||||
NotCapable: Requires run access to "deno", run again with the --allow-run flag
|
NotCapable: Requires run access to "binary", run again with the --allow-run flag
|
||||||
[WILDCARD]
|
[WILDCARD]
|
||||||
at file:///[WILDLINE]/sub.ts:23:22 {
|
at file:///[WILDLINE]/sub.ts:23:22 {
|
||||||
name: "NotCapable"
|
name: "NotCapable"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
const binaryName = Deno.build.os === "windows" ? "deno.exe" : "deno";
|
const binaryName = Deno.build.os === "windows" ? "binary.exe" : "binary";
|
||||||
Deno.copyFileSync(Deno.execPath(), binaryName);
|
Deno.copyFileSync(Deno.execPath(), binaryName);
|
||||||
|
|
||||||
console.log("Running...");
|
console.log("Running...");
|
||||||
|
@ -9,9 +9,12 @@ new Deno.Command(
|
||||||
"run",
|
"run",
|
||||||
"--allow-write",
|
"--allow-write",
|
||||||
"--allow-read",
|
"--allow-read",
|
||||||
`--allow-run=deno`,
|
`--allow-run=binary`,
|
||||||
"sub.ts",
|
"sub.ts",
|
||||||
],
|
],
|
||||||
|
env: {
|
||||||
|
PATH: Deno.cwd(),
|
||||||
|
},
|
||||||
stderr: "inherit",
|
stderr: "inherit",
|
||||||
stdout: "inherit",
|
stdout: "inherit",
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
const binaryName = Deno.build.os === "windows" ? "deno.exe" : "deno";
|
const binaryName = Deno.build.os === "windows" ? "binary.exe" : "binary";
|
||||||
const pathSep = Deno.build.os === "windows" ? "\\" : "/";
|
const pathSep = Deno.build.os === "windows" ? "\\" : "/";
|
||||||
|
|
||||||
Deno.mkdirSync("subdir");
|
Deno.mkdirSync("subdir");
|
||||||
|
@ -6,7 +6,7 @@ Deno.copyFileSync(binaryName, "subdir/" + binaryName);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const commandResult = new Deno.Command(
|
const commandResult = new Deno.Command(
|
||||||
"deno",
|
"binary",
|
||||||
{
|
{
|
||||||
env: { "PATH": Deno.cwd() + pathSep + "subdir" },
|
env: { "PATH": Deno.cwd() + pathSep + "subdir" },
|
||||||
stdout: "inherit",
|
stdout: "inherit",
|
||||||
|
@ -22,7 +22,7 @@ try {
|
||||||
try {
|
try {
|
||||||
const child = Deno.run(
|
const child = Deno.run(
|
||||||
{
|
{
|
||||||
cmd: ["deno"],
|
cmd: ["binary"],
|
||||||
env: { "PATH": Deno.cwd() + pathSep + "subdir" },
|
env: { "PATH": Deno.cwd() + pathSep + "subdir" },
|
||||||
stdout: "inherit",
|
stdout: "inherit",
|
||||||
stderr: "inherit",
|
stderr: "inherit",
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
"tests": {
|
||||||
|
"no_allow_list": {
|
||||||
|
"args": "run --allow-run main.ts",
|
||||||
|
"output": "no_allow_list.out"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
0
tests/specs/run/allow_run_insecure_warnings/main.ts
Normal file
0
tests/specs/run/allow_run_insecure_warnings/main.ts
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
"args": "test --allow-run --allow-read captured_output.ts",
|
"args": "test -A captured_output.ts",
|
||||||
"output": "main.out",
|
"output": "main.out",
|
||||||
"envs": { "NO_COLOR": "1" },
|
"envs": { "NO_COLOR": "1" },
|
||||||
"exitCode": 0
|
"exitCode": 0
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)
|
||||||
PermissionStatus { state: "granted", onchange: null, partial: true }
|
PermissionStatus { state: "granted", onchange: null, partial: true }
|
||||||
PermissionStatus { state: "denied", onchange: null }
|
PermissionStatus { state: "denied", onchange: null }
|
||||||
PermissionStatus { state: "granted", onchange: null }
|
PermissionStatus { state: "granted", onchange: null }
|
||||||
|
|
Loading…
Reference in a new issue