Deno Permission Model Bypass Vulnerability in File Stat Methods

A vulnerability exists in Deno's file stat methods, specifically `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync`, in versions prior to 2.5.3 and 2.2.15. These methods can bypass the permission model check `--deny-read=./`, allowing users to access file statistics from files they do not have explicit read permission for. This issue arises because, unlike similar APIs that require `allow-read` permission, the stat methods can be exploited when a file is opened with write-only permissions and deny-read restrictions. The vulnerability allows for unauthorized access to file metadata, creating a potential security risk by undermining the intended permission controls.

Impact

Exploitation of this vulnerability bypasses Deno's permission model, specifically the read access restrictions, allowing unauthorized access to file statistics.

Reproduction

The vulnerability can be reproduced by opening a file with write permissions only, while denying read permissions in the current directory. After opening the file, the `stat` or `statSync` methods can be called to retrieve file statistics, successfully bypassing the read permission denial.

Remediation

Users can upgrade to Deno versions 2.5.3 or 2.2.15, where this vulnerability has been fixed.