What is Deno?
However, Deno doesn’t completely lock you out of your own device. You are able to explicitly set permissions to access environment variables, network access, and file read / write permissions. Deno additionally provides a foreign function interface (FFI) for the C language Application Binary Interface (ABI).
Despite this extra security, Deno does not require explicit permission to import local or remote modules, similarly to NodeJS and NPM. This means you could potentially import malicious code from a third party source. Deno’s FFI feature also allows you to run external scripts outside of the default sandbox, allowing for privilege escalation in some cases. Be sure to audit any third party sources before attempting to use them in your codebase.
The Deno CLI provides options to granularly set permissions during runtime. In this article I will discuss several of those options and provide examples for each.
Before getting started with any of the examples, be sure to download and install the latest version of Deno from
deno.land. Once you’re all set up and have added the
.deno directory to your $PATH, you can run
deno –help to see the full list of help options.
The examples below will be using the
deno run command and you can see the help page for
run by entering
deno help run into your terminal.
The options we will explore today include the following permissions
allow-env command authorizes the Deno runtime to use the environment from your terminal setup. This is useful for
pointing the Deno script to various parameters that exist in your shell and is very useful for passing API keys to Deno
without having to hard code the information into a script.
For example, if you are using Deno to interact with the Amazon Web Services API, you can write your script as usual and
reference the API key in the script itself. The script below retrieves the value for the
variable and logs it to the console if it is found.
Once your script is written, you can include the AWS environment variable into the runtime environment of your script by
--allow-env like so
The above example will pass the
AWS_API_KEY environment variable to the
awsScript.ts file at runtime. If you attempt
to run the
awsScript.ts file without specifying an environment variable to allow, Deno will prompt you to ask if you
would like to rerun the script with access to the desired variable.
Note that Deno assumes any environment variable passed to the script will exist in the underlying system. If you attempt
to load an environment variable that does not exist, the result will simply be
undefined when you attempt to use it.
If you choose not to load the variable at this time by typing
deny Deno will throw a
allow-hrtime command provides more control over the printed timestamps output by your script. This is useful to
prevent timing attacks which are method of breaking a cryptographic system by analyzing the length of time it takes the
script to process any cryptographic commands. Using higher resolution timing is also useful during performance testing
to calculate the time it takes for Deno to execute specific commands.
Deno’s permissions model does not allow network access by default. This means that you are protected from any script that attempts to access a url on your local network or the internet in general.
If you are testing a script, or if you are creating an application that relies on an external database, you can
whitelist any local or external resources by passing their urls to the
Running the above command will allow access to
on any port. If you want to restrict networking to specific ports, the–allow-net` command also lets you
specify ports for even finer grained control of network access.
You can allow all network access by simply including
--allow-net with no items passed. Be careful, this will allow any
script to run with access to any host and potentially download and run malicious code.
--allow-ffi command lets you specify dynamic libraries to load with your script at runtime. The
allow-ffi stands for foreign function interface and Deno uses this to interact with any library that is compatible
with the C language application binary interface (ABI). This includes languages like Rust, C/C++, C#, Zig, Nim, and
Kotlin (among others).
The Deno foreign function interface allows you to specify a large number of types from your selected foreign language. Find the full list types on the Deno Foreign Function Interface API documentation
You can find additional information about composing functions to be used with
--allow-ffi in the
Deno FFI API page
--allow-read permission tells Deno to allow read access to any files passed to the command, individually or as a
list. This is useful for restricting access to only files you specify on your (or your users) system.
This is useful for allowing your script to only interact with the specific files needed at runtime, such as configuration files, or any file needed to process with the script.
Say you have a simple
config.ini file containing user name and password:
ini file above will be read with this simple script:
To allow your script to read this
config.ini file, execute your script using the
Specify multiple options by supplying a comma separated list of files you would like to interact with.
--allow-read command works for files and directories - simply pass a directory to the
--allow-read argument to
include that directory as a readable resource. Using
--allow-read to read directories will output an
used to iterate over the contents in the directory.
Note that the
--allow-read command does not allow Deno to read subdirectories that may be located in the parent
directory you pass to the permission. For example, if you would like to allow your script to read your
you can only files within the
/etc directory, not subfolders. You must use
--allow-read /etc/<subdirectory> to allow
As with other Deno permissions, if you do not include
--allow-run when executing the script, Deno will prompt you to
run your command again using the
--allow-run option to include read access to any files referenced in your script.
yes to allow access to these files will re-run the Deno command with the files allow-read command populated
with filenames referenced in your script.
However, if you choose
deny to prevent Deno from allowing read access to these files, you are presented with a
If you would like to execute any files with your script, use the
--allow-run option to allow Deno to execute any
external files as part of the runtime. As with
--allow-run will only let your script execute the
files specified with the
deno run command, eg
deno run –allow-run runFile.ts.
For example, if
runFile.ts contains the following command
deno run –allow-run runFile.ts at the command line will output the following text
allow-run also tells Deno that your script can run command line tools as well. If you need to get the host name of
the machine running your Deno code, you can tell Deno to allow the
hostname command using the following
A quick warning – using
--allow-run will execute any file or command as a subprocess outside of the Deno sandbox,
meaning that any permissions set at runtime will not apply to the file or command being executed. This is a type of
privilege escalation that you must be aware of when using this permission.
allow-write option tells Deno to allow write operations on any files specified at the command line. As with
--allow-write accepts single file or directory options, or multiple files and directories passed to
the command as a comma separated list.
In this article you learned a bit about why Deno is “secure by default” and how the command line permissions can help
keep your system secure. Additionally, I described a few caveats when it comes to Deno’s permissions - you can import
3rd party code without allowing network access, and the
allow-run permission will execute any command or code as a
separate subprocess, outside of the Deno sandbox.
Deno aims to be a Typescript-first programming environment that will potentially replace NodeJs and NPM. To find out more about Deno permissions, head to the permissions section of the Deno “getting started” docs. You can learn more about Deno at deno.land.