feat: Deno.execPath() no longer requires --allow-read permission (#29620)

This commit changes `Deno.execPath()` API to no longer require read permission. This change is dictated by the fact that in common scenarios, requiring read permission is less secure than not requiring permissions - if a user wants to spawn a Deno subprocess using the current executable, they would do something like: ``` new Deno.Command(Deno.execPath(), { args: ["eval", "1+1"] }).outputSync(); ``` To run this program, currently one needs to pass `--allow-read --allow-run=deno` flags. It's possible to limit scope of `--allow-read` flag, but it's really cumbersome to do, so most users will opt to give a blanket `--allow-read` permission. Not requiring read permissions allows the above program to be run with just `--allow-run=deno` flag. This change is in similar to relaxing of permissions in `Deno.cwd()` API done in https://github.com/denoland/deno/pull/27192. Ref https://github.com/denoland/deno/issues/20061#issuecomment-2942497783
2025-08-04 10:59:13 +00:00 · 2025-06-25 20:57:35 +02:00 · 2025-06-25 20:57:35 +02:00 · f781796402
commit f781796402
parent d4b02455df
3 changed files with 3 additions and 19 deletions
--- a/cli/tsc/dts/lib.deno.ns.d.ts
+++ b/cli/tsc/dts/lib.deno.ns.d.ts
@ -1591,9 +1591,6 @@ declare namespace Deno {
   * console.log(Deno.execPath());  // e.g. "/home/alice/.local/bin/deno"
   * ```
   *
-   * Requires `allow-read` permission.
-   *
-   * @tags allow-read
   * @category Runtime
   */
  export function execPath(): string;
--- a/ext/os/lib.rs
+++ b/ext/os/lib.rs
@ -113,13 +113,10 @@ pub enum OsError {
  Io(#[from] std::io::Error),
 }

-#[op2(stack_trace)]
+#[op2]
 #[string]
-fn op_exec_path(state: &mut OpState) -> Result<String, OsError> {
+fn op_exec_path() -> Result<String, OsError> {
  let current_exe = env::current_exe().unwrap();
-  state
-    .borrow_mut::<PermissionsContainer>()
-    .check_read_blind(&current_exe, "exec_path", "Deno.execPath()")?;
  // normalize path so it doesn't include '.' or '..' components
  let path = normalize_path(current_exe);

--- a/tests/unit/os_test.ts
+++ b/tests/unit/os_test.ts
@ -184,20 +184,10 @@ Deno.test(
  },
 );

-Deno.test({ permissions: { read: true } }, function execPath() {
+Deno.test({ permissions: { read: false } }, function execPath() {
  assertNotEquals(Deno.execPath(), "");
 });

-Deno.test({ permissions: { read: false } }, function execPathPerm() {
-  assertThrows(
-    () => {
-      Deno.execPath();
-    },
-    Deno.errors.NotCapable,
-    "Requires read access to <exec_path>, run again with the --allow-read flag",
-  );
-});
-
 Deno.test(
  {
    ignore: Deno.build.os !== "linux",