feat: warn when using `--allow-run` with no allow list (#25215)

1 files changed, 23 insertions, 0 deletions

diff --git a/cli/args/mod.rs b/cli/args/mod.rs
index 0e4004a53..db8cf149e 100644
--- a/cli/args/mod.rs
+++ b/cli/args/mod.rs
@@ -809,6 +809,8 @@ impl CliOptions {
       }
     }
 
+    warn_insecure_allow_run_flags(&flags);
+
     let maybe_lockfile = maybe_lockfile.filter(|_| !force_global_cache);
     let deno_dir_provider =
       Arc::new(DenoDirProvider::new(flags.cache_path.clone()));
@@ -1688,6 +1690,27 @@ impl CliOptions {
   }
 }
 
+/// Warns for specific uses of `--allow-run`. This function is not
+/// intended to catch every single possible insecure use of `--allow-run`,
+/// but is just an attempt to discourage some common pitfalls.
+fn warn_insecure_allow_run_flags(flags: &Flags) {
+  let permissions = &flags.permissions;
+  if permissions.allow_all {
+    return;
+  }
+  let Some(allow_run_list) = permissions.allow_run.as_ref() else {
+    return;
+  };
+
+  // discourage using --allow-run without an allow list
+  if allow_run_list.is_empty() {
+    log::warn!(
+      "{} --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)",
+      colors::yellow("Warning")
+    );
+  }
+}
+
 /// Resolves the path to use for a local node_modules folder.
 fn resolve_node_modules_folder(
   cwd: &Path,