Skip to content

Deno.cwd() permission problems #27080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alexgleason opened this issue Nov 26, 2024 · 4 comments
Closed

Deno.cwd() permission problems #27080

alexgleason opened this issue Nov 26, 2024 · 4 comments

Comments

@alexgleason
Copy link
Contributor

Version: Deno 2.1.1

cwd.ts:

console.log(Deno.cwd());

This requires --allow-read permission (which I already think is a stretch):

deno run --allow-read cwd.ts

But if I deny even a single file in the same directory, I cannot use it anymore:

deno run --allow-read --deny-read=.env cwd.ts
error: Uncaught (in promise) NotCapable: Requires read access to <CWD>, run again with the --allow-read flag
console.log(Deno.cwd());
                 ^
    at Object.cwd (ext:deno_fs/30_fs.js:151:10)
    at file:///home/alex/Projects/ditto/scripts/cwd.ts:1:18

Actually a lot of scenarios don't work..

# These all give the `NotCapable` error:
deno run --allow-read --deny-read=src cwd.ts # subfolder
deno run --allow-read --deny-read=src/utils/time.ts cwd.ts # file in subfolder
deno run --allow-read --deny-read=.. # directory above

# Surprisingly, these _do_ work, so it's not entirely broken:
deno run --allow-read --deny-read=/ cwd.ts # root directory
deno run --allow-read --deny-read=/etc/hosts cwd.ts # absolute path
deno run --allow-read --deny-read=../mostr cwd.ts # folder above

This messes up file permissions pretty badly, because path.resolve() will trigger this, so any library that calls it (a lot of them) will force you to remove granular permissions and just use -A.

Why does cwd get this treatment? It's not reading the contents of any file. It's not even listing files within a directory. In its current state it would be better to remove the --allow-read requirement all-together than keeps its current behavior, because the current behavior forces you to compromise your other permissions.
@0f-0b
Copy link
Contributor

0f-0b commented Nov 26, 2024

Moreover, there is already a way (related to Node compatibility) to get the path to the CWD without any permissions, so having Deno.cwd() require --allow-read gives no security benefits.

@marvinhagemeister
Copy link
Contributor

@0f-0b What's that way to get the CWD without any permissions that you're referring to? Both Deno.cwd() and process.cwd() trigger a permission prompt on my end. Did you found another way?

@0f-0b
Copy link
Contributor

0f-0b commented Nov 27, 2024

What's that way to get the CWD without any permissions that you're referring to?

import Module from "node:module";
console.log(Module._nodeModulePaths("a")[0].slice(0, -15));

@dsherret
Copy link
Member

Yeah, we know about this one. We were supposed to get rid of the Deno.cwd permission check in Deno 2.0 and forgot. Let's continue this one in #27110

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marvinhagemeister @dsherret @alexgleason @0f-0b