Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: warn when using --allow-run with no allow list #25215

Merged
merged 18 commits into from
Sep 16, 2024

Conversation

dsherret
Copy link
Member

@dsherret dsherret commented Aug 26, 2024

--allow-run without an allow list is security theatre. Any script could just launch Deno.execPath() with full permissions or do something like deno eval '<something malicious goes here>'.

@@ -15,8 +15,10 @@
"output": "5\n"
},
{
"commandName": "mv",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No mv command on Windows (the Windows CI adds it, but it doesn't exist normally)

cli/args/mod.rs Outdated Show resolved Hide resolved
@sepehrst
Copy link

I believe that to effectively serve their purpose and avoid becoming footguns, these warnings should be accompanied by a mechanism to suppress them, simillar to --suppress-insecure-allow-warnings, --unsafe-allow-permissions, or simply --unsafe
There are legitimate use cases, particularly with CLI applications, where avoiding potentially unsafe --allow- combinations is not feasible or desirable. Without a suppression mechanism, users may resort to --allow-all, which could lead to even more security risks.

@dsherret
Copy link
Member Author

dsherret commented Aug 27, 2024

I believe that to effectively serve their purpose and avoid becoming footguns, these warnings should be accompanied by a mechanism to suppress them ... Without a suppression mechanism, users may resort to --allow-all, which could lead to even more security risks.

I don't agree. These warnings are for what is essentially --allow-all behaviour since scripts can easily bypass them. I would propose hard erroring if it wasn't such a disruptive change.

dsherret added a commit that referenced this pull request Aug 28, 2024
@bartlomieju bartlomieju added this to the 2.0.0 milestone Sep 3, 2024
@dsherret dsherret enabled auto-merge (squash) September 4, 2024 16:03
// discourage using --allow-run without an allow list
if allow_run_list.is_empty() {
log::warn!(
"{} --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"{} --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)",
"{} --allow-run without an allow list is susceptible to exploits. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)",

@dsherret dsherret merged commit b0525ed into denoland:main Sep 16, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants