foster/denoland-deno
0
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-10-31 09:14:20 -04:00
Code Issues Wiki Activity
denoland-deno/docs/getting_started/permissions.md
Chris Knight 9090023c33
docs: "Getting started" manual updates (#5835)
2020-05-26 13:12:07 +02:00

2.9 KiB
Raw Blame History

Permissions

Deno is secure by default. Therefore, unless you specifically enable it, a deno module has no file, network, or environment access for example. Access to security sensitive areas or functions requires the use of permissions to be granted to a deno process on the command line.

For the following example, mod.ts has been granted read-only access to the file system. It cannot write to it, or perform any other security sensitive functions.

deno run --allow-read mod.ts

Permissions list

The following permissions are available:

  • -A, --allow-all Allow all permissions. This disables all security.
  • --allow-env Allow environment access for things like getting and setting of environment variables.
  • --allow-hrtime Allow high resolution time measurement. High resolution time can be used in timing attacks and fingerprinting.
  • --allow-net=<allow-net> Allow network access. You can specify an optional, comma separated list of domains to provide a whitelist of allowed domains.
  • --allow-plugin Allow loading plugins. Please note that --allow-plugin is an unstable feature.
  • --allow-read=<allow-read> Allow file system read access. You can specify an optional, comma separated list of directories or files to provide a whitelist of allowed file system access.
  • --allow-run Allow running subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the deno process. Therefore, use with caution.
  • --allow-write=<allow-write> Allow file system write access. You can specify an optional, comma separated list of directories or files to provide a whitelist of allowed file system access.

Permissions whitelist

Deno also allows you to control the granularity of some permissions with whitelists.

This example restricts file system access by whitelisting only the /usr directory, however the execution fails as the process was attempting to access a file in the /etc directory:

$ deno run --allow-read=/usr https://deno.land/std/examples/cat.ts /etc/passwd
error: Uncaught PermissionDenied: read access to "/etc/passwd", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Try it out again with the correct permissions by whitelisting /etc instead:

$ deno run --allow-read=/etc https://deno.land/std/examples/cat.ts /etc/passwd

--allow-write works the same as --allow-read.

Network access:

fetch.ts:

const result = await fetch("https://deno.land/");

This is an example on how to whitelist hosts/urls:

$ deno run --allow-net=github.com,deno.land fetch.ts

If fetch.ts tries to establish network connections to any other domain, the process will fail.

Allow net calls to any host/url:

$ deno run --allow-net fetch.ts