Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require read permission to perform Deno.bundle() #4411

Closed
cknight opened this issue Mar 17, 2020 · 3 comments
Closed

Require read permission to perform Deno.bundle() #4411

cknight opened this issue Mar 17, 2020 · 3 comments
Labels
bug Something isn't working correctly permissions related to --allow-* flags

Comments

@cknight
Copy link
Contributor

cknight commented Mar 17, 2020
edited
Loading

Deno.bundle() takes in as argument a file name as a string. If the file is of a supported media type (currently javascript, JSX, Typescript, TSX, Json or Wasm), it will bundle that file up and return the output to the calling module as a string of Javascript. No permissions are required. This effectively gives the calling module the ability to read the contents of any these media types located anywhere on the file system without requiring any permission.

Proof of concept

/some/other/dir/secrets.json

{"my_secret_API_key":"abcd1234"}

/deno/module/dir/bundle_poc.ts

const [ maybeDiagnostics, output ] = await Deno.bundle("/some/other/dir/secrets.json");
console.log(output);

when executed as:
deno bundle_poc.ts

The output (trimmed) is:

Compile file:///deno/module/dir/bundle_poc.ts
// Copyright 2018-2020 the Deno authors. All rights reserved. MIT license.

// This is a specialised implementation of a System module loader.

// @ts-nocheck
/* eslint-disable */

let System, __inst, __inst_s;

<...trimmed output...>

{ "my_secret_API_key": "abcd1234" }

__inst_s("secrets");

As demonstrated above, this method exposes the json data to the calling module. If Deno.bundle() can access any of these media types on the file system and allow the content to be accessed in the module, it should be required to run under the --allow-read permission.
@bartlomieju bartlomieju added bug Something isn't working correctly permissions related to --allow-* flags labels Mar 18, 2020
@kitsonk
Copy link
Contributor

kitsonk commented Mar 18, 2020

This isn't specific to Deno.bundle()... We currently allow importing of JSON without permissions full stop. Deno.bundle() uses the same infrastructure.

import secrets from "/some/other/dir/secrets.json";

console.log(secrets);

Ref #2768 where we discussed --allow-read for JSON modules briefly.
Ref #3401 talking about importing outside of the root.

PR #4404 fixes a defect where the JSON is simply inlined in the bundle, but it still gives access to anything you are allowed to import.

@bartlomieju
Copy link
Member

bartlomieju commented Jun 26, 2020
edited
Loading

I think this issue is no longer valid - any runtime API (import(), Deno.compile(), Deno.bundle(), Deno.transpileOnly()) does permission check before loading files. Additionally neither WASM nor JSON imports are supported anymore (past v1.0.0)

@cknight
Copy link
Contributor Author

cknight commented Jun 26, 2020

Thanks @bartlomieju, I agree. Closing.

@cknight cknight closed this as completed Jun 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working correctly permissions related to --allow-* flags
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cknight @kitsonk @bartlomieju