Deno Global Permission Flag Contradiction Vulnerability

A vulnerability in Deno's permission handling allows contradictory global permission flags to coexist improperly. Specifically, using 'deno run' with both '--allow-read' and '--deny-read' flags, or any similar combination of global unary permissions, can lead to unexpected behavior. This issue is present in Deno versions starting from 1.41.3 up to, but not including, 2.1.13, 2.2.13, and 2.3.2. The vulnerability arises from a logic flaw that causes the program to incorrectly prioritize 'deny' flags, creating a scenario where denied permissions are still granted.

Impact

Exploitation of this vulnerability could lead to unintended permission grants, allowing read operations that should be denied. However, this issue only affects illogical combinations of permission flags, so the overall impact on users is minimal.

Reproduction

To reproduce this vulnerability, run a Deno script with the command 'deno run' followed by the '--allow-read' and '--deny-read' flags. The script will be executed with read permissions allowed, despite the denial flag, demonstrating the contradiction in permission handling.

Remediation

Users can upgrade to Deno versions 2.1.13, 2.2.13, or 2.3.2, where this vulnerability has been patched.