logo
GitHubEdit on GitHub

Permissions

Deno is secure by default. Therefore, unless you specifically enable it, a deno module has no file, network, or environment access for example. Access to security-sensitive areas or functions requires the use of permissions to be granted to a deno process on the command line.

For the following example, mod.ts has been granted read-only access to the file system. It cannot write to it, or perform any other security-sensitive functions.

deno run --allow-read mod.ts

Permissions list

The following permissions are available:

  • -A, --allow-all Allow all permissions. This disables all security.
  • --allow-env=<allow-env> Allow environment access for things like getting and setting of environment variables. Since Deno 1.9, you can specify a optional, comma-separated list of environment variables to provide an allow-list of allowed environment variables.
  • --allow-hrtime Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
  • --allow-net=<allow-net> Allow network access. You can specify an optional, comma-separated list of domains to provide an allow-list of allowed domains.
  • --allow-plugin Allow loading plugins. Please note that --allow-plugin is an unstable feature.
  • --allow-read=<allow-read> Allow file system read access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.
  • --allow-run=<allow-run> Allow running subprocesses. Since Deno 1.9, You can specify an options, comma-separated list of subprocesses to provide an allow-list of allowed subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the deno process. Therefore, use with caution.
  • --allow-write=<allow-write> Allow file system write access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.

Permissions allow-list

Deno also allows you to control the granularity of some permissions with allow-lists.

This example restricts file system access by allow-listing only the /usr directory, however the execution fails as the process was attempting to access a file in the /etc directory:

$ deno run --allow-read=/usr https://deno.land/std@0.103.0/examples/cat.ts /etc/passwd
error: Uncaught PermissionDenied: read access to "/etc/passwd", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Try it out again with the correct permissions by allow-listing /etc instead:

deno run --allow-read=/etc https://deno.land/std@0.103.0/examples/cat.ts /etc/passwd

--allow-write works the same as --allow-read.

Network access:

fetch.ts:

const result = await fetch("https://deno.land/");

This is an example of how to allow-list hosts/urls:

deno run --allow-net=github.com,deno.land fetch.ts

If fetch.ts tries to establish network connections to any other domain, the process will fail.

Allow net calls to any host/url:

deno run --allow-net fetch.ts

Conference

Ryan Dahl. (September 25, 2020). The Deno security model. Speakeasy JS.