On explicit permissions for file, network, and environment access

[dc0d]

Are there any exceptions to this requirement?

Deno requires explicit permissions for file, network, and environment access.

I hope this is a super explicit rule/requirement, regardless of the underlying used PL (TypeScript or JavaScript), which always stands true.

[wperron]

Are there any exceptions to this requirement?

Yes; currently the plugin interface can bypass the permissions interface, that's because plugins are completely opaque to the runtime, there's no way check what kind of operations they might be doing ahead of time, or at runtime. Similarly using --allow-run can potentially lead to vulnerabilities because the child process isn't bound to the sandbox permissions of the parent process, for the same reasons.

The permissions passed to Deno are used by the underlying "ops" interface which allows the V8 sandbox to reach out into the privileged Rust side to access resources such as the filesystem or the network. As such, anything that doesn't go through this ops interface isn't subject to the permissions flags passed in the command line.

As for the programing language used, it really makes no difference; TypeScript gets compiled to JavaScript under the hood anyway. It's really just about the interaction between the V8 sandbox and the privileged Rust process.

---

Just a quick note about WASM/WASI: since WASI supports syscall, it's also possible to bypass the permissions using it, for the same reasons as the plugins described above. WASM is a little more complicated; it will depend a lot on what language/framework you are compiling from and what it allows - proceed at your own risk there.

[dc0d]

@wperron Thank you for your detailed answer!

The reason for asking this question: evaluating the possibility of allowing a user to write arbitrary logic in a Turing complete language, safely (TypeScript/JavaScript or whatever transpiles to JavaScript) - other concerns (memory, timeout) are not being addressed at this stage.

The plug-ins are rust plug-ins and should be enabled explicitly. Is that right?

I am not super familiar with WASM. But I guess there should be ways to restrict that too.

This (running arbitrary code in a safe, sandboxed way) can be a very nice niche domain for deno.