Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(permission): Address permissions issue for UNC paths on Windows #25132

Open
wants to merge 13 commits into
base: main
Choose a base branch
from

Conversation

yazan-abdalrahman
Copy link
Contributor

fix #24703

@yazan-abdalrahman
Copy link
Contributor Author

@dsherret please can review this change?

@yazan-abdalrahman yazan-abdalrahman changed the title Fix: Address permissions issue for UNC paths on Windows fix(permission): Address permissions issue for UNC paths on Windows Aug 21, 2024
@yazan-abdalrahman
Copy link
Contributor Author

@dsherret @bartlomieju
Hello, could you help verify why it failed? It works on my local.
image

deno.runtime_permissions_lib.rs.2024-08-21.17-24-59.mp4

And when I ran the script, it didn't set failed to true, therefore it didn't output "One or more tests failed" and it didn't return 321.

deno.special_main.js.2024-08-21.17-27-31.mp4

// Check if the path is a UNC path (e.g., \\Server\Share\Folder)
// UNC paths typically contain "\\" at the start or somewhere in the middle
if s.windows(2).any(|window| window == b"\\\\") {
return true;
Copy link
Member

@dsherret dsherret Aug 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret this #23208 prevent some paths if they don't have all permissions, so we need to exclude UNC paths from that pattern with this code or close issue it if it's for security reasons.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret this #23208 prevent some paths if they don't have all permissions, so we need to exclude UNC paths from that pattern with this code or close issue it if it's for security reasons.

Regarding #23208. I realize it's not a security problem, thus can accept this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mmastrac Please check this change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dsherret @mmastrac
Can we accept it, or should we close the issue and consider it unsolvable?

Copy link
Member

@dsherret dsherret Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this a bit and I think it's more complicated than it seems. Here's some points from an old internal document:

  • If users are using \\.\ paths to access things like named pipes, raw devices, those should trigger --allow-sys .
  • Network resources should perform DNS lookup in permission checks, and the fully-resolved permission check object should include the the IP address. When we make the outgoing network requests, we must use the resolved IP.

That said, I'm not sure about what the right solution is here. At the moment, this just requires --allow-all permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this a bit and I think it's more complicated than it seems. Here's some points from an old internal document:

  • If users are using \\.\ paths to access things like named pipes, raw devices, those should trigger --allow-sys .
  • Network resources should perform DNS lookup in permission checks, and the fully-resolved permission check object should include the the IP address. When we make the outgoing network requests, we must use the resolved IP.

That said, I'm not sure about what the right solution is here. At the moment, this just requires --allow-all permissions.

but I assume if it requires extra permission, it will prompt to ask it to grant the permission, thus actually at this moment it grants all the permission needed, no need to verify all permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

This might be a security issue. I think there's a reason why this isn't allowed without -A, but I can't remember at the moment.

@dsherret
What about this? I don't think it's a security issue, but why do sheared files require all permissions? Just some permissions like read, write, and net? and why it didn't prompt to give it all permission?

@rivy
Copy link
Contributor

rivy commented Oct 6, 2024

@dsherret , I'm running into this issue while trying to open any UNC path or DOS device (eg, '\.\CONIN$') with non---allow-all permissions.

Is there any thoughts on what permissions (besides just defaulting to --allow-all) that could/should be used for this fairly common CLI and network script usage?

Requiring --allow-all is especially problematic as it can't be tested using the permissions API.

Should anyone else be included in the discussion?

Thanks for the attention.

@bartlomieju bartlomieju added this to the 2.1.0 milestone Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants