Ask questionsPermissionless static relative imports are dangerous

In the current version of Deno (0.24) it is possible to import a module from outside the directory of the running script:

import * as secrets from "../../../elsewhere/config.json";

My understanding is that this is justified because a malicious script can not know where it is going to be run and therefore an attempt to load a relative path as above will almost always result in Deno exiting with an error.

Although it's true that in some uses of Deno a malicious script author can not know where a json with secrets might be located relative to where it is run, there is one situation where this can be known: if Deno is used as the sandbox subsystem of a larger system, then Deno will always be called in the same way (predictable cwd and path to potential secrets).

Imagine for example an application platform that uses Deno as its sandbox. It has the following data directory:

- data-dir
 | - config.json   // includes api keys and other secrets
 | - more stuff.../
 | - untrusted-app-code/
   | - malicious-app/

The application platform would probably call Deno with very limited permissions, and it certainly will not provide an allow-read permission that includes config.json.

However the malicious app will not need that. If it's designed to run on the platform it can read config.json like this:

import * as platform_config from '../../config.json`

I believe Deno should disallow relative static imports outside of the main script's directory unless --allow-read allows it.




Answer questions ry

Yes it's a good point. If we are to take security seriously we can't allow reading random JSON...


Related questions

{WSL 2} Permission denied (os error 13) hot 1
gRPC in Deno? hot 1
deno remove/uninstall subcommand hot 1
Insight required: Resource (TCP) errors hot 1
TCP accept loop doesn't use for-await hot 1
Support d.ts files hot 1
Restore runtime lib generation capability hot 1
disable flaky tests _048_media_types_jsx and _019_media_types hot 1
Typescript Custom Transformers Support hot 1
reorg directory structure hot 1
Centos 7 GLIBC_2.18 not found hot 1
"deno ast script.ts" hot 1
Text decoding performance abysmally slow. hot 1
"deno ast script.ts" hot 1
Can't build master hot 1
Github User Rank List