Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permissions bypass exploit #1858

Closed
afinch7 opened this Issue Feb 28, 2019 · 3 comments

Comments

2 participants
@afinch7
Copy link
Contributor

afinch7 commented Feb 28, 2019

I found a direct bypass of the file system permissions checks.

The compiler code is currently designed around a privileged operation op_fetch_module_meta_data that can be used to read any file on the host file system or make almost any GET http/https request you want with the hosts connection. The libdeno.send function required to send the request to run said operation is available in the global scope of any code executed in the same context.

Proof of concept

@ry

This comment has been minimized.

Copy link
Collaborator

ry commented Feb 28, 2019

Thanks for reporting - makes sense. Only the "compiler" isolate should have access fetch_module_meta_data.

We don't have a great way to decide which Isolate an op request is coming from at the moment. But I'm refactoring this now, and I will add something so we can branch on it.

@afinch7

This comment has been minimized.

Copy link
Contributor Author

afinch7 commented Mar 1, 2019

After a little thought I decided that It would be a good idea to assign permissions on a per-isolate basis. I already have some working code for this refactor, and it should be beneficial for more than just solving this problem.

ry added a commit that referenced this issue Mar 2, 2019

Permissions refactor (#1864)
Refactored permissions to be assignable on a per-isolate 
basis, and added a fix for #1858 to op_fetch_module_meta_data.
@ry

This comment has been minimized.

Copy link
Collaborator

ry commented Mar 2, 2019

Fixed in 8c310d3

@ry ry closed this Mar 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.