diff options
| author | Matt Mastracci <matthew@mastracci.com> | 2024-01-03 16:31:39 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-04 00:31:39 +0100 |
| commit | 00970daea2245bf4af6b3ee21d0e522fec5638b8 (patch) | |
| tree | 1c21ab0a4a25124349262d3c97ab1fdce5344521 /cli | |
| parent | 7f1c41d245026fe5929f6fb7f60d48cc52d81f2f (diff) | |
fix(cli): harden permission stdio check (#21778)
Harden the code that does permission checks to protect against
re-opening of stdin.
Code that runs FFI is vulnerable to an attack where fd 0 is closed
during a permission check and re-opened with a file that contains a
positive response (ie: `y` or `A`). While FFI code is dangerous in
general, we can make it more difficult for FFI-enabled code to bypass
additional permission checks.
- Checks to see if the underlying file for stdin has changed from the
start to the end of the permission check (detects races)
- Checks to see if the message is excessively long (lowering the window
for races)
- Checks to see if stdin and stderr are still terminals at the end of
the function (making races more difficult)
Diffstat (limited to 'cli')
| -rw-r--r-- | cli/tests/integration/run_tests.rs | 14 | ||||
| -rw-r--r-- | cli/tests/testdata/run/permission_request_long.ts | 1 |
2 files changed, 15 insertions, 0 deletions
diff --git a/cli/tests/integration/run_tests.rs b/cli/tests/integration/run_tests.rs index 43bc212c6..36eee1100 100644 --- a/cli/tests/integration/run_tests.rs +++ b/cli/tests/integration/run_tests.rs @@ -707,6 +707,20 @@ fn permissions_prompt_allow_all_lowercase_a() { }); } +#[test] +fn permission_request_long() { + TestContext::default() + .new_command() + .args_vec(["run", "--quiet", "run/permission_request_long.ts"]) + .with_pty(|mut console| { + console.expect(concat!( + "❌ Permission prompt length (100017 bytes) was larger than the configured maximum length (10240 bytes): denying request.\r\n", + "❌ WARNING: This may indicate that code is trying to bypass or hide permission check requests.\r\n", + "❌ Run again with --allow-read to bypass this check if this is really what you want to do.\r\n", + )); + }); +} + itest!(deny_all_permission_args { args: "run --deny-env --deny-read --deny-write --deny-ffi --deny-run --deny-sys --deny-net --deny-hrtime run/deny_all_permission_args.js", output: "run/deny_all_permission_args.out", diff --git a/cli/tests/testdata/run/permission_request_long.ts b/cli/tests/testdata/run/permission_request_long.ts new file mode 100644 index 000000000..05937e95a --- /dev/null +++ b/cli/tests/testdata/run/permission_request_long.ts @@ -0,0 +1 @@ +Deno.open("a".repeat(1e5)); |