1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-12-22 07:14:47 -05:00

fix(runtime): allow r/w access to /etc without --allow-all (#23718)

This is not a special path that can be used to escalate or bypass Deno
permissions, such as `--allow-env`.
This commit is contained in:
Luca Casonato 2024-05-07 14:51:42 +02:00 committed by GitHub
parent e7a2317f5a
commit f3cc760f2f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 1 additions and 10 deletions

View file

@ -1691,19 +1691,10 @@ impl PermissionsContainer {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
}
if path.starts_with("/etc") {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
} else if cfg!(unix) {
if path.starts_with("/dev") {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
if path.starts_with("/etc") {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
if path.starts_with("/private/etc") {
self.check_was_allow_all_flag_passed().map_err(error_all)?;
}
} else if cfg!(target_os = "windows") {
fn is_normalized_windows_drive_path(path: &Path) -> bool {
let s = path.as_os_str().as_encoded_bytes();

View file

@ -4,8 +4,8 @@
const testCases = [
// Allowed, safe
[["darwin", "linux"], null, "/dev/null"],
[["darwin", "linux"], null, "/etc/passwd"],
// Denied, requires `--allow-all`
[["darwin", "linux"], /PermissionDenied/, "/etc/hosts"],
[["darwin", "linux"], /PermissionDenied/, "/dev/ptmx"],
[["linux"], /PermissionDenied/, "/proc/self/environ"],
[["linux"], /PermissionDenied/, "/proc/self/mem"],