Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cli): harden permission stdio check #21778

Merged
merged 5 commits into from
Jan 3, 2024
Merged

fix(cli): harden permission stdio check #21778

merged 5 commits into from
Jan 3, 2024
+179 −117

Conversation

mmastrac
Copy link
Contributor

@mmastrac mmastrac commented Jan 3, 2024

Harden the code that does permission checks to protect against re-opening of stdin.

Code that runs FFI is vulnerable to an attack where fd 0 is closed during a permission check and re-opened with a file that contains a positive response (ie: y or A). While FFI code is dangerous in general, we can make it more difficult for FFI-enabled code to bypass additional permission checks.

  • Checks to see if the underlying file for stdin has changed from the start to the end of the permission check (detects races)
  • Checks to see if the message is excessively long (lowering the window for races)
  • Checks to see if stdin and stderr are still terminals at the end of the function (making races more difficult)

@mmastrac mmastrac changed the title security(cli): harden permission stdio check fix(cli): harden permission stdio check Jan 3, 2024
@mmastrac mmastrac requested a review from bartlomieju January 3, 2024 21:50
@mmastrac mmastrac enabled auto-merge (squash) January 3, 2024 22:51
bartlomieju
bartlomieju approved these changes Jan 3, 2024
View reviewed changes
cli/tests/integration/run_tests.rs
Comment on lines +717 to +719
"❌ Permission prompt length (100017 bytes) was larger than the configured maximum length (10240 bytes): denying request.\r\n",
"❌ WARNING: This may indicate that code is trying to bypass or hide permission check requests.\r\n",
"❌ Run again with --allow-read to bypass this check if this is really what you want to do.\r\n",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cool 👍

@mmastrac mmastrac merged commit 00970da into denoland:main Jan 3, 2024
bartlomieju pushed a commit that referenced this pull request Jan 4, 2024
@mmastrac @bartlomieju
fix(cli): harden permission stdio check (#21778)
5d7ebea 
Harden the code that does permission checks to protect against
re-opening of stdin.

Code that runs FFI is vulnerable to an attack where fd 0 is closed
during a permission check and re-opened with a file that contains a
positive response (ie: `y` or `A`). While FFI code is dangerous in
general, we can make it more difficult for FFI-enabled code to bypass
additional permission checks.

- Checks to see if the underlying file for stdin has changed from the
start to the end of the permission check (detects races)
- Checks to see if the message is excessively long (lowering the window
for races)
- Checks to see if stdin and stderr are still terminals at the end of
the function (making races more difficult)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartlomieju bartlomieju bartlomieju approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmastrac @bartlomieju