[Security] Deno Sandbox Escape #12152

masasron · 2021-09-20T12:46:38Z

The Deno file sandbox does not handle symbolic links correctly.
When running Deno with specific write access the Deno.symlink method can be used to gain access to any directory.

Proof of concept:
https://hackers.report/report/614876917a7b150012836bb8

The text was updated successfully, but these errors were encountered:

caspervonb · 2021-09-20T13:49:23Z

See also #9607

bartlomieju mentioned this issue Sep 20, 2021

fix: Deno.symlink and Deno.symlinkSync require read and write permissions #12154

Closed

caspervonb mentioned this issue Sep 21, 2021

fix(runtime): use canonical paths for ops that may resolve symlinks #12170

Closed

21 tasks

piscisaureus assigned dsherret Oct 19, 2021

dsherret mentioned this issue Oct 26, 2021

fix(runtime): require full read and write permissions in order to create symlinks #12554

Merged

dsherret closed this as completed in #12554 Oct 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Deno Sandbox Escape #12152

[Security] Deno Sandbox Escape #12152

masasron commented Sep 20, 2021

caspervonb commented Sep 20, 2021

[Security] Deno Sandbox Escape #12152

[Security] Deno Sandbox Escape #12152

Comments

masasron commented Sep 20, 2021

caspervonb commented Sep 20, 2021