Listen to this Post
The vulnerability exists because the `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` methods do not perform the necessary permission checks for reading when called on an already open file descriptor. Normally, the `–deny-read=./` flag should prevent a script from obtaining any information about files in the directory. While standard file information APIs like `Deno.stat` correctly enforce this restriction by requiring --allow-read, the methods on the `FsFile` object bypass this security model. An attacker can exploit this by first opening a file with write-only flags ({ read: false, write: true}). Even with read permission explicitly denied, the `.stat()` or `.statSync()` method on the returned file object can be successfully invoked. This allows an attacker to retrieve metadata such as file size, type, and timestamps, thereby leaking information that should be protected by the permission system and bypassing the intended security controls.
Platform: Deno
Version: <=2.4.2
Vulnerability : Permission Bypass
Severity: Medium
date: 2024-12-19
Prediction: Patch 2024-12-26
What Undercode Say:
deno --version touch test1.txt deno run --deny-read=./ --allow-write=./ poc_file.stat.ts 1
using file = await Deno.open("./test1.txt", { read: false, write: true});
const fileInfo = await file.stat();
console.log(fileInfo.isFile);
How Exploit:
Open file write-only.
Call `.stat()` on handle.
Bypasses `–deny-read`.
Protection from this CVE
Update Deno version.
Avoid using FsFile.stat.
Use `Deno.stat` API.
Audit file operations.
Impact:
Information Disclosure.
Permission Model Bypass.
Metadata Leakage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
