-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a Security Model doc #894
base: main
Are you sure you want to change the base?
Conversation
lucacasonato
commented
Sep 25, 2024
- Add a Security Model doc
--- | ||
|
||
This document outlines the security model of the Deno runtime. Deno is designed | ||
to be secure by default runtime, however to write secure applications it is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to be secure by default runtime, however to write secure applications it is | |
to be secure-by-default runtime, however to write secure applications it is |
does this make sense? I read this sentence three 🤣
- **Multiple invocations of the same application can share data**: Deno provides | ||
a mechanism for multiple invocations of the same application to share data, | ||
through built in caching and KV storage APIs. Different applications can not | ||
see each other's data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we mention here that it's still possible with correct combination of flags to see this data?
code executing on the same thread shares the same privilege level. It is not | ||
possible for different modules to have different privilege levels within the | ||
same thread. | ||
- **Code can not escalate it's privileges without user consent**: Code executing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- **Code can not escalate it's privileges without user consent**: Code executing | |
- **Code can not escalate its privileges without user consent**: Code executing |
possible for different modules to have different privilege levels within the | ||
same thread. | ||
- **Code can not escalate it's privileges without user consent**: Code executing | ||
in a Deno runtime can not escalate it's privileges without the user agreeing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in a Deno runtime can not escalate it's privileges without the user agreeing | |
in a Deno runtime can not escalate its privileges without the user agreeing |
same thread. | ||
- **Code can not escalate it's privileges without user consent**: Code executing | ||
in a Deno runtime can not escalate it's privileges without the user agreeing | ||
explicitly to an escalation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
explicitly to an escalation. | |
explicitly to an escalation via interactive prompt or a flag. |
- **Code can not escalate it's privileges without user consent**: Code executing | ||
in a Deno runtime can not escalate it's privileges without the user agreeing | ||
explicitly to an escalation. | ||
- **The initial static module graph can import local files without |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about remote modules?
To enable these operations, the user must explicitly grant permission to the | ||
Deno runtime. This is done by passing the `--allow-read`, `--allow-write`, | ||
`--allow-net`, `--allow-env`, and `--allow-run` flags to the `deno` command. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was about to suggest you link to https://docs.deno.com/runtime/fundamentals/security/ but I believe we should roll this document into that already existing document?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seconded
`deno info <entrypoint>`. | ||
- Files that are dynamically imported in a way that can not be statically | ||
analyzed require runtime read permissions. | ||
- Files inside of a `node_modules/` directory are allowed to be read by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But not if used with require()
, let's mention this here
|
||
Deno also sends requests to `https://dl.deno.land/` at most once a day to check | ||
for updates to the Deno CLI. This can be disabled using | ||
`DENO_NO_UPDATE_CHECK=1`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`DENO_NO_UPDATE_CHECK=1`. | |
`DENO_NO_UPDATE_CHECK=1` environmental variable. |
includes reading environment variables, and setting new values. | ||
|
||
Deno reads certain environment variables on startup, such as `DENO_DIR` and | ||
`NO_COLOR` (see `deno help` for the full list). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's link to https://docs.deno.com/runtime/reference/cli/env_variables/ instead
|
||
Code executing inside of a Deno runtime can not spawn subprocesses by default, | ||
as this would constitute a violation of the principle that code can not escalate | ||
it's privileges without user consent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's privileges without user consent. | |
its privileges without user consent. |
### FFI | ||
|
||
Deno provides a mechanism for executing code written in other languages, such as | ||
Rust, C, or C++, from within a Deno runtime. This is done using the | ||
`Deno.dlopen` API, which can load shared libraries and call functions from them. | ||
|
||
By default, executing code can not use the `Deno.dlopen` API, as this would | ||
constitute a violation of the principle that code can not escalate it's | ||
privileges without user consent. | ||
|
||
In addition to `Deno.dlopen`, FFI can also be used via Node-API (NAPI) native | ||
addons. These are also not allowed by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should include "how to allow them" via the flag. Slightly worried that search engine summarization will assume that it's just not allowed