Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(permission): Address permissions issue for UNC paths on Windows #25132

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

fix(permission): Address permissions issue for UNC paths on Windows #25132

wants to merge 9 commits into from

Conversation

yazan-abdalrahman
Copy link
Contributor

fix #24703

@yazan-abdalrahman
Copy link
Contributor Author

@dsherret please can review this change?

@yazan-abdalrahman yazan-abdalrahman changed the title Fix: Address permissions issue for UNC paths on Windows fix(permission): Address permissions issue for UNC paths on Windows Aug 21, 2024
@yazan-abdalrahman
Copy link
Contributor Author

@dsherret @bartlomieju
Hello, could you help verify why it failed? It works on my local.
image

deno.runtime_permissions_lib.rs.2024-08-21.17-24-59.mp4

And when I ran the script, it didn't set failed to true, therefore it didn't output "One or more tests failed" and it didn't return 321.

deno.special_main.js.2024-08-21.17-27-31.mp4

dsherret
dsherret reviewed Aug 21, 2024
View reviewed changes
runtime/permissions/lib.rs
// Check if the path is a UNC path (e.g., \\Server\Share\Folder)
// UNC paths typically contain "\\" at the start or somewhere in the middle
if s.windows(2).any(|window| window == b"\\\\") {
return true;
Copy link
Member

@dsherret dsherret Aug 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret this #23208 prevent some paths if they don't have all permissions, so we need to exclude UNC paths from that pattern with this code or close issue it if it's for security reasons.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret this #23208 prevent some paths if they don't have all permissions, so we need to exclude UNC paths from that pattern with this code or close issue it if it's for security reasons.

Regarding #23208. I realize it's not a security problem, thus can accept this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mmastrac Please check this change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret @mmastrac
Can we accept it, or should we close the issue and consider it unsolvable?

Copy link
Member

@dsherret dsherret Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this a bit and I think it's more complicated than it seems. Here's some points from an old internal document:

  • If users are using \\.\ paths to access things like named pipes, raw devices, those should trigger --allow-sys .
  • Network resources should perform DNS lookup in permission checks, and the fully-resolved permission check object should include the the IP address. When we make the outgoing network requests, we must use the resolved IP.

That said, I'm not sure about what the right solution is here. At the moment, this just requires --allow-all permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this a bit and I think it's more complicated than it seems. Here's some points from an old internal document:

  • If users are using \\.\ paths to access things like named pipes, raw devices, those should trigger --allow-sys .
  • Network resources should perform DNS lookup in permission checks, and the fully-resolved permission check object should include the the IP address. When we make the outgoing network requests, we must use the resolved IP.

That said, I'm not sure about what the right solution is here. At the moment, this just requires --allow-all permissions.

but I assume if it requires extra permission, it will prompt to ask it to grant the permission, thus actually at this moment it grants all the permission needed, no need to verify all permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

@dsherret
What about this? I don't think it's a security issue, but why do sheared files require all permissions? Just some permissions like read, write, and net? and why it didn't prompt to give it all permission?

@yazan-abdalrahman yazan-abdalrahman mentioned this pull request Aug 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsherret dsherret Awaiting requested review from dsherret

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@yazan-abdalrahman @dsherret