Add a Security Model doc #894
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
lucacasonato
commented
Sep 25, 2024
lucacasonato
commented
- Add a Security Model doc
bartlomieju
reviewed
Sep 25, 2024
| --- | ||
|
|
||
| This document outlines the security model of the Deno runtime. Deno is designed | ||
| to be secure by default runtime, however to write secure applications it is |
There was a problem hiding this comment.
Suggested change
| to be secure by default runtime, however to write secure applications it is | |
| to be secure-by-default runtime, however to write secure applications it is |
does this make sense? I read this sentence three 🤣
bartlomieju
reviewed
Sep 25, 2024
| - **Multiple invocations of the same application can share data**: Deno provides | ||
| a mechanism for multiple invocations of the same application to share data, | ||
| through built in caching and KV storage APIs. Different applications can not | ||
| see each other's data. |
There was a problem hiding this comment.
Should we mention here that it's still possible with correct combination of flags to see this data?
bartlomieju
reviewed
Sep 25, 2024
| code executing on the same thread shares the same privilege level. It is not | ||
| possible for different modules to have different privilege levels within the | ||
| same thread. | ||
| - **Code can not escalate it's privileges without user consent**: Code executing |
There was a problem hiding this comment.
Suggested change
| - **Code can not escalate it's privileges without user consent**: Code executing | |
| - **Code can not escalate its privileges without user consent**: Code executing |
bartlomieju
reviewed
Sep 25, 2024
| possible for different modules to have different privilege levels within the | ||
| same thread. | ||
| - **Code can not escalate it's privileges without user consent**: Code executing | ||
| in a Deno runtime can not escalate it's privileges without the user agreeing |
There was a problem hiding this comment.
Suggested change
| in a Deno runtime can not escalate it's privileges without the user agreeing | |
| in a Deno runtime can not escalate its privileges without the user agreeing |
bartlomieju
reviewed
Sep 25, 2024
| same thread. | ||
| - **Code can not escalate it's privileges without user consent**: Code executing | ||
| in a Deno runtime can not escalate it's privileges without the user agreeing | ||
| explicitly to an escalation. |
There was a problem hiding this comment.
Suggested change
| explicitly to an escalation. | |
| explicitly to an escalation via interactive prompt or a flag. |
bartlomieju
reviewed
Sep 25, 2024
| - **Code can not escalate it's privileges without user consent**: Code executing | ||
| in a Deno runtime can not escalate it's privileges without the user agreeing | ||
| explicitly to an escalation. | ||
| - **The initial static module graph can import local files without |
bartlomieju
reviewed
Sep 25, 2024
Comment on lines
+49
to
+51
| To enable these operations, the user must explicitly grant permission to the | ||
| Deno runtime. This is done by passing the `--allow-read`, `--allow-write`, | ||
| `--allow-net`, `--allow-env`, and `--allow-run` flags to the `deno` command. |
There was a problem hiding this comment.
I was about to suggest you link to https://docs.deno.com/runtime/fundamentals/security/ but I believe we should roll this document into that already existing document?
bartlomieju
reviewed
Sep 25, 2024
| `deno info <entrypoint>`. | ||
| - Files that are dynamically imported in a way that can not be statically | ||
| analyzed require runtime read permissions. | ||
| - Files inside of a `node_modules/` directory are allowed to be read by default. |
There was a problem hiding this comment.
But not if used with require(), let's mention this here
bartlomieju
reviewed
Sep 25, 2024
|
|
||
| Deno also sends requests to `https://dl.deno.land/` at most once a day to check | ||
| for updates to the Deno CLI. This can be disabled using | ||
| `DENO_NO_UPDATE_CHECK=1`. |
There was a problem hiding this comment.
Suggested change
| `DENO_NO_UPDATE_CHECK=1`. | |
| `DENO_NO_UPDATE_CHECK=1` environmental variable. |
bartlomieju
reviewed
Sep 25, 2024
| includes reading environment variables, and setting new values. | ||
|
|
||
| Deno reads certain environment variables on startup, such as `DENO_DIR` and | ||
| `NO_COLOR` (see `deno help` for the full list). |
There was a problem hiding this comment.
Let's link to https://docs.deno.com/runtime/reference/cli/env_variables/ instead
bartlomieju
reviewed
Sep 25, 2024
|
|
||
| Code executing inside of a Deno runtime can not spawn subprocesses by default, | ||
| as this would constitute a violation of the principle that code can not escalate | ||
| it's privileges without user consent. |
There was a problem hiding this comment.
Suggested change
| it's privileges without user consent. | |
| its privileges without user consent. |
littledivy
reviewed
Sep 27, 2024
Comment on lines
+146
to
+157
| ### FFI | ||
|
|
||
| Deno provides a mechanism for executing code written in other languages, such as | ||
| Rust, C, or C++, from within a Deno runtime. This is done using the | ||
| `Deno.dlopen` API, which can load shared libraries and call functions from them. | ||
|
|
||
| By default, executing code can not use the `Deno.dlopen` API, as this would | ||
| constitute a violation of the principle that code can not escalate it's | ||
| privileges without user consent. | ||
|
|
||
| In addition to `Deno.dlopen`, FFI can also be used via Node-API (NAPI) native | ||
| addons. These are also not allowed by default. |
There was a problem hiding this comment.
I think this should include "how to allow them" via the flag. Slightly worried that search engine summarization will assume that it's just not allowed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.