How can I easily and securely use third-party libraries in Deno?

Node has been criticized for its security issues. The community is large, there are many poorly maintained libraries, and Node does not provide access control, so it can do anything when introducing a dependency package.

One of the issues Deno addressed when it was proposed was security. Therefore, Deno provides access control on the process or Worker, and the permission of the program should be specified every time the Deno program is run:

  • Is readable
  • Could you write
  • Whether you can access the network
  • Whether a subcommand can be run
  • .

However, Deno does not currently support specifying package access when importing because the implementation is cumbersome. This need is universal: we have a large community with a large number of community warehouses, many of which are mixed, few people have the energy to check/track security issues when using a library, and we are more likely to not use or fork a library if trust issues are not addressed.

Sandbox Mode for External Scripts Since Deno follows ECMA standards, it will most likely have official sandbox support once sandbox proposals are added to ECMAScript standards. This includes Realms for Stage 3 and Ses for Stage 1

plan

So what is the current way we can introduce a package with 100% confidence?

Workers is the best solution at present. The Worker in Deno can load TypeScript code in Deno format as well as JS. When each Worker is created, it can specify permissions in fine granularity, such as which files can be read, which files can be written, and which domain names can only be accessed. The child Worker can be opened again in Worker, and the child Worker can inherit the permission of the father or be more strictly restricted.

const worker = new Worker(new URL("./worker.ts".import.meta.url).href, {
  type: "module".deno: {
    namespace: true.permissions: {
      net: [
        "https://deno.land/",].read: [
        new URL("./file_1.txt".import.meta.url),
        new URL("./file_2.txt".import.meta.url),
      ],
      write: false,}}});Copy the code

But with workers there is a lot of repetitive code. Is there a library that can help us do this?

Comlink

Comlink is a library that enables users to use workers more naturally. As long as they add await before normal Worker operations, they can use objects exported by workers.

And Deno 1.12, released in July 2021, supports MessageChannel and Message Port, allowing Comlink features to be fully leveraged on Deno (for example, passing a callback to the Worker, Depends on the Message Port interface. If you want to know how Comlink works, see this article.

Insert and query on Worker through Comlink:

main.js

import * as Comlink from "https://unpkg.com/comlink/dist/esm/comlink.mjs";
const DataProcessor = Comlink.wrap(new Worker("./worker.js"));
let processor = await new DataProcessor();

export async function insert(s) {
  await processor.insert(s);
}

export async function search(s) {
  return await processor.search(s);
}

export async function map(callback) {
  return processor.map(Comlink.proxy(callback));
}
Copy the code

worker.js

importScripts("https://unpkg.com/comlink/dist/umd/comlink.js");

class DataProcessor {
  arr = [];
  constructor() {}

  insert(. s) {
    this.arr.push(... s); }search(target) {
    const ans = [];
    for (const value of this.arr) {
      if(value.str.match(target)) { ans.push(value); }}return ans;
  }

  map(callback) {
    return Promise.all(this.arr.map(callback));
  }
}

Comlink.expose(DataProcessor);
Copy the code

Comlink + Deno Worker

Thus we can provide a Comlink + Workers wrapper that exposes a new import method so that we can safely import any script.

But just as I was about to do it, I found the warehouse importw

Use mode:

import {
  importw,
  release,
  worker,
} from "https://deno.land/x/[email protected]/mod.ts";

// Import a package from worker
// add is a function provided by the package
// Release and worker are built-in geosymbols that are used to obtain worker action objects
const { log, add, [release]: terminate, [worker]: workerRef } = await importw(
  "https://deno.land/x/[email protected]/examples/basic/exampleMod.ts",
  {
    name: "exampleWorker".deno: {
      namespace: true.permissions: {
        net: [
          "https://deno.land/",].write: false,},},},);// How to access the internal Worker
console.log(workerRef.constructor.name); // Worker

// Execute code in Worker
await log(`add(40, 2) in a worker:`.await add(40.2));

// Gracefully release Worker resources
await terminate();
Copy the code

Adding types is a bit verbose at the moment

import type * as M from "https://deno.land/x/[email protected]/examples/basic/exampleMod.ts"; .const. =await importw<{log: typeof M.log, add: typeofM.add}>( ... ) ;Copy the code

But be aware that you can’t achieve 100% security this way. If the script is running for a long time, it may be subjected to Side Channel Timing attacks.

It’s nice to parallelize the package in addition to the sandbox in this way 🌝