For the following example, has been granted read-only access to the file system. It cannot write to it, or perform any other security-sensitive functions.
The following permissions are available:
- -A, —allow-all Allow all permissions. This disables all security.
- --allow-hrtime Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
- --allow-net=<allow-net> Allow network access. You can specify an optional, comma-separated list of domains to provide an allow-list of allowed domains.
- --allow-plugin Allow loading plugins. Please note that —allow-plugin is an unstable feature.
- --allow-read=<allow-read> Allow file system read access. You can specify an optional, comma-separated list of directories or files to provide a allow-list of allowed file system access.
- --allow-run Allow running subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the deno process. Therefore, use with caution.
Deno also allows you to control the granularity of some permissions with allow-lists.
$ deno run --allow-read=/usr https://deno.land/std@$STD_VERSION/examples/cat.ts /etc/passwd
► $deno$/dispatch_json.ts:40:11
at DenoError ($deno$/errors.ts:20:5)
...
Try it out again with the correct permissions by allow-listing instead:
--allow-write
works the same as --allow-read
.
fetch.ts:
If tries to establish network connections to any other domain, the process will fail.
Allow net calls to any host/url:
deno run --allow-net fetch.ts
Ryan Dahl. (September 25, 2020). . Speakeasy JS.