mirror of
https://github.com/denoland/deno.git
synced 2024-12-28 10:09:20 -05:00
92 lines
3 KiB
Markdown
92 lines
3 KiB
Markdown
## Permissions
|
|
|
|
Deno is secure by default. Therefore, unless you specifically enable it, a deno
|
|
module has no file, network, or environment access for example. Access to
|
|
security-sensitive areas or functions requires the use of permissions to be
|
|
granted to a deno process on the command line.
|
|
|
|
For the following example, `mod.ts` has been granted read-only access to the
|
|
file system. It cannot write to it, or perform any other security-sensitive
|
|
functions.
|
|
|
|
```shell
|
|
deno run --allow-read mod.ts
|
|
```
|
|
|
|
### Permissions list
|
|
|
|
The following permissions are available:
|
|
|
|
- **-A, --allow-all** Allow all permissions. This disables all security.
|
|
- **--allow-env** Allow environment access for things like getting and setting
|
|
of environment variables.
|
|
- **--allow-hrtime** Allow high-resolution time measurement. High-resolution
|
|
time can be used in timing attacks and fingerprinting.
|
|
- **--allow-net=\<allow-net\>** Allow network access. You can specify an
|
|
optional, comma-separated list of domains to provide an allow-list of allowed
|
|
domains.
|
|
- **--allow-plugin** Allow loading plugins. Please note that --allow-plugin is
|
|
an unstable feature.
|
|
- **--allow-read=\<allow-read\>** Allow file system read access. You can specify
|
|
an optional, comma-separated list of directories or files to provide a
|
|
allow-list of allowed file system access.
|
|
- **--allow-run** Allow running subprocesses. Be aware that subprocesses are not
|
|
run in a sandbox and therefore do not have the same security restrictions as
|
|
the deno process. Therefore, use with caution.
|
|
- **--allow-write=\<allow-write\>** Allow file system write access. You can
|
|
specify an optional, comma-separated list of directories or files to provide a
|
|
allow-list of allowed file system access.
|
|
|
|
### Permissions allow-list
|
|
|
|
Deno also allows you to control the granularity of some permissions with
|
|
allow-lists.
|
|
|
|
This example restricts file system access by allow-listing only the `/usr`
|
|
directory, however the execution fails as the process was attempting to access a
|
|
file in the `/etc` directory:
|
|
|
|
```shell
|
|
$ deno run --allow-read=/usr https://deno.land/std@$STD_VERSION/examples/cat.ts /etc/passwd
|
|
error: Uncaught PermissionDenied: read access to "/etc/passwd", run again with the --allow-read flag
|
|
► $deno$/dispatch_json.ts:40:11
|
|
at DenoError ($deno$/errors.ts:20:5)
|
|
...
|
|
```
|
|
|
|
Try it out again with the correct permissions by allow-listing `/etc` instead:
|
|
|
|
```shell
|
|
deno run --allow-read=/etc https://deno.land/std@$STD_VERSION/examples/cat.ts /etc/passwd
|
|
```
|
|
|
|
`--allow-write` works the same as `--allow-read`.
|
|
|
|
### Network access:
|
|
|
|
_fetch.ts_:
|
|
|
|
```ts
|
|
const result = await fetch("https://deno.land/");
|
|
```
|
|
|
|
This is an example of how to allow-list hosts/urls:
|
|
|
|
```shell
|
|
deno run --allow-net=github.com,deno.land fetch.ts
|
|
```
|
|
|
|
If `fetch.ts` tries to establish network connections to any other domain, the
|
|
process will fail.
|
|
|
|
Allow net calls to any host/url:
|
|
|
|
```shell
|
|
deno run --allow-net fetch.ts
|
|
```
|
|
|
|
### Conference
|
|
|
|
Ryan Dahl. (September 25, 2020).
|
|
[The Deno security model](https://www.youtube.com/watch?v=r5F6dekUmdE#t=34m57).
|
|
Speakeasy JS.
|