From 74fc66da110ec20d12751e7a0922cea300314399 Mon Sep 17 00:00:00 2001 From: David Sherret Date: Wed, 4 Sep 2024 14:51:24 +0200 Subject: fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command. --- tests/specs/run/ld_preload/__test__.jsonc | 6 ++---- tests/specs/run/ld_preload/env_arg.out | 12 +++++++---- tests/specs/run/ld_preload/env_arg.ts | 25 ++++++++++++++++++----- tests/specs/run/ld_preload/set_with_allow_env.out | 12 +++++++---- tests/specs/run/ld_preload/set_with_allow_env.ts | 14 ++++++++++++- 5 files changed, 51 insertions(+), 18 deletions(-) (limited to 'tests/specs/run/ld_preload') diff --git a/tests/specs/run/ld_preload/__test__.jsonc b/tests/specs/run/ld_preload/__test__.jsonc index 767e423d0..882f157e9 100644 --- a/tests/specs/run/ld_preload/__test__.jsonc +++ b/tests/specs/run/ld_preload/__test__.jsonc @@ -7,13 +7,11 @@ "tests": { "env_arg": { "args": "run --allow-run=echo env_arg.ts", - "output": "env_arg.out", - "exitCode": 1 + "output": "env_arg.out" }, "set_with_allow_env": { "args": "run --allow-run=echo --allow-env set_with_allow_env.ts", - "output": "set_with_allow_env.out", - "exitCode": 1 + "output": "set_with_allow_env.out" } } } diff --git a/tests/specs/run/ld_preload/env_arg.out b/tests/specs/run/ld_preload/env_arg.out index fbf37014a..3df781a8e 100644 --- a/tests/specs/run/ld_preload/env_arg.out +++ b/tests/specs/run/ld_preload/env_arg.out @@ -1,4 +1,8 @@ -error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. -}).spawn(); - ^ - at [WILDCARD] +PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. + [WILDCARD] + name: "PermissionDenied" +} +PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. + [WILDCARD] + name: "PermissionDenied" +} diff --git a/tests/specs/run/ld_preload/env_arg.ts b/tests/specs/run/ld_preload/env_arg.ts index 0b236619e..d7ca1073d 100644 --- a/tests/specs/run/ld_preload/env_arg.ts +++ b/tests/specs/run/ld_preload/env_arg.ts @@ -1,5 +1,20 @@ -const output = new Deno.Command("echo", { - env: { - "LD_PRELOAD": "./libpreload.so", - }, -}).spawn(); +try { + new Deno.Command("echo", { + env: { + "LD_PRELOAD": "./libpreload.so", + }, + }).spawn(); +} catch (err) { + console.log(err); +} + +try { + Deno.run({ + cmd: ["echo"], + env: { + "LD_PRELOAD": "./libpreload.so", + }, + }); +} catch (err) { + console.log(err); +} diff --git a/tests/specs/run/ld_preload/set_with_allow_env.out b/tests/specs/run/ld_preload/set_with_allow_env.out index 2e92763dd..60dba7cff 100644 --- a/tests/specs/run/ld_preload/set_with_allow_env.out +++ b/tests/specs/run/ld_preload/set_with_allow_env.out @@ -1,4 +1,8 @@ -error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. -const output = new Deno.Command("echo").spawn(); - ^ - at [WILDCARD] +PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. + [WILDCARD] + name: "PermissionDenied" +} +PermissionDenied: Requires --allow-all permissions to spawn subprocess with DYLD_FALLBACK_LIBRARY_PATH, LD_PRELOAD environment variables. + [WILDCARD] + name: "PermissionDenied" +} diff --git a/tests/specs/run/ld_preload/set_with_allow_env.ts b/tests/specs/run/ld_preload/set_with_allow_env.ts index 9530f4478..79004aa16 100644 --- a/tests/specs/run/ld_preload/set_with_allow_env.ts +++ b/tests/specs/run/ld_preload/set_with_allow_env.ts @@ -1,3 +1,15 @@ Deno.env.set("LD_PRELOAD", "./libpreload.so"); -const output = new Deno.Command("echo").spawn(); +try { + new Deno.Command("echo").spawn(); +} catch (err) { + console.log(err); +} + +Deno.env.set("DYLD_FALLBACK_LIBRARY_PATH", "./libpreload.so"); + +try { + Deno.run({ cmd: ["echo"] }).spawnSync(); +} catch (err) { + console.log(err); +} -- cgit v1.2.3