Skip to content

Insecure run command on Fresh homepage  #3838

Description

@Ionaru

The fresh homepage, and possibly the docs too, show a short and easy-to-run command to set up Fresh: deno run -Ar jsr:@fresh/init.

This command uses -A (--allow-all) and -r(--reload), making it download code from the internet and executing it with full user permissions.

Deno also provides a --allow-all flag that grants all permissions to the script. This disables the security sandbox entirely, and should be used with caution. The --allow-all has the same security properties as running a script in Node.js (ie none).
https://docs.deno.com/runtime/fundamentals/security/

This widens the blast radius of a supply-chain attack: with --allow-all, any transitive dependency of @fresh/init executes with full system permissions instead of being sandboxed.

The same effect can be achieved with

deno run --allow-net=jsr.io,usefresh.dev,fresh.deno.dev --allow-run=deno -RWr jsr:@fresh/init

The biggest concern I have with the above command is --allow-run=deno that still allows the package to run a deno command with any flag it wants. It is currently used for deno install, maybe the user can do that themselves?

You probably don't ever want to use --allow-run=deno unless the parent process has --allow-all, as being able to spawn a deno process means the script can spawn another deno process with full permissions.
https://docs.deno.com/runtime/fundamentals/security/#subprocesses

The -RW flag allows reading & writing. Possible too permissive as well, but added for convenience since the alternative is requiring defining the destination folder in the command.

Limiting the network locations Deno can access is a good first start and shrinks the attack vector possibilities greatly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions