Proposal: Deno super strict mode #18576
Replies: 1 comment
-
|
I've come up with a workaround that does not require any change to Deno itself. When you use a flag without an allow list and you query the permission in Deno, it will show up as type PermissionNames =
| "env"
| "run"
| "net"
| "write"
| "read"
| "sys"
| "ffi"
| "hrtime"; // Does not take a list but High-resolution time can be used in timing attacks and fingerprinting
const permissions: PermissionNames[] = [
"env",
"run",
"net",
"write",
"read",
"sys",
"ffi",
"hrtime", // remove only if you truly need precision timing (checking performance/benchmarking)
];
const granted = [];
for (const permission of permissions) {
const { state } = await Deno.permissions.query({ name: permission });
// if you use a flag without an allow-list, state will show as 'granted'
// but if you do use an allow-list, state will show as 'prompt'
if (state === "granted") {
granted.push(permission);
}
}
if (granted.length > 0) {
// hrtime does not use a list so giving it its own separate message
let hrtimeMsg = "";
const hrtime = granted.indexOf("hrtime");
if (hrtime >= 0) {
hrtimeMsg = `\nRestricted use of 'hrtime'. Please remove --allow-hrtime`;
granted.splice(hrtime, 1);
}
const formatted = granted.map((p) => `\t--allow-${p}`).join('\n');
const errorMessage = `ERROR: No opened ended permissions allowed.
You must use an allow list for the following permissions:
${formatted}
${hrtimeMsg}
`;
console.error(errorMessage);
Deno.exit(1);
}edit: edit 2: So if you use |
Beta Was this translation helpful? Give feedback.
-
Deno's permission system is great but I was wondering if there was a way to take things a step further by requiring any permissions flag that accepts a comma separated allow-list to only work if it has that list, and also blocking the use of the
--allow-all. It could be a new flag called--strictor an option in thedeno.jsonconfig file.If I was on a team of many devs of varying degrees of experience, I'd like to be able to lock things down as much as I can.
Say our project already runs with the following flags because the nature of the project requires it.
{ "tasks": { "dev": "deno run --allow-read --allow-write --allow-net --alow-run" } }Without being able to enforce an allow-list for each of those flags, an inexperienced team member could add a new third-party import that can download a malicious payload and execute it on the system without knowing it because all of the flags that allow it are there.
But if we had something like this:
{ "tasks": { "dev": "deno run --strict --allow-read=./tmp --allow-write=./tmp --allow-net=some-api.com --allow-run=./scripts/my-subprocess.ts" } }When adding a new third-party module that is trying to do something malicious that dev will either notice that a new permission is being requested and take a step back to analyze why, or even if they naively don't question it and add the new domain to the allow-list (this is just an example so roll with it), this should get caught in a PR review.
Sure, you can do this now by setting up a good process where everyone on the team remembers to never use the open-ended version of the permissions but that requires people to pay attention and we all know some times things get really busy and some people just don't have time for in-depth reviewing, things can slip by.
The other option is to move this enforcement into a CI step where it checks the deno.json task list and looks for any changes there and make sure that all flags that can use allow-list actually have a list (I might end up writing something like that soon)
Beta Was this translation helpful? Give feedback.
All reactions