WingNews logo WingNews
top | item 44488758

(no title)

bugtodiffer | 7 months ago

using deno isn't good security practice, their sandbox is implemented like stuff from the 90s

discuss

order

homebrewer|7 months ago

If you're writing server stuff, at the coarse-grained level of isolation that Deno provides you're better off using just about anything else and restricting access to network/disks/etc through systemd. Unlike Deno, it can restrict access to specific filesystem paths and network addresses (whitelist/blacklist, your choice), and you're not locked into using just Deno and not forced to write JS/TS.

See `man systemd.exec`, `systemd-analyze security`, https://wiki.archlinux.org/title/Systemd/Sandboxing

crabmusket|7 months ago

Deno can restrict access to filesystem files or directories, and to particular network domains, see docs for examples. https://docs.deno.com/runtime/fundamentals/security/#file-sy...

However in general I don't think Deno's permission system is all that amazing, and I am annoyed that people call it "capability-based" sometimes (I don't know if this came from the Deno team ever or just misinformed third parties).

I do like that "deno run https://example.com/arbitrary.js" has a minimum level of security by default, and I can e.g. restrict it to read and write my current working dir. It's just less helpful for combining components of varying trust levels into a single application.

oblio|7 months ago

Can you expand on this please? Also curious which 90s tech there inspired by.

bugtodiffer|7 months ago

It is matching strings instead of actually blocking things. That's how sandboxes were implemented when I was a kid.

E.g. --allow-net --deny-net=1.1.1.1

You cannot fetch "http://1.1.1.1" but any domain that resolves to 1.1.1.1 is a bypass...

It's crap security

bflesch|7 months ago

Is node "sandbox" different? Does it even have a sandbox?

throwitaway1123|7 months ago

Node does have a permissions system, but it's opt in. Many runtimes/interpreters either have no sandbox at all, or they're opt in, which is why Deno's sandbox is an upgrade, even if it's not as hardened as iptables or Linux namespaces.