Security vulnerabilities

Severity: 8.6 — High
Target Feature: Deno runtime environment (/admin/sites/, application configuration, startup command field)
Vulnerability Class: CWE-88 — Argument Injection or Modification
Root Cause: alwaysdata's admin panel allows users to specify a custom startup command for Deno applications. The startup command is passed to a shell executor with insufficient argument sanitization. By embedding Deno CLI flags within the startup command string, an attacker can inject –allow-all, –allow-env, or –unstable flags that override the platform's intended Deno permission policy.
Attack Narrative:

Step 1: Attacker creates a Deno application in the alwaysdata admin panel. In the "Start command" field, enters: deno run –allow-all –unstable /home/attacker/www/evil.ts
Step 2: The platform's process launcher passes this string through sh -c "[user_command]", executing the Deno process with full –allow-all permissions instead of the restricted permission set the platform intends.
Step 3: evil.ts calls Deno.readFile("/etc/passwd"), Deno.env.toObject() (leaking all environment variables including other tenants' secrets injected by the platform), and opens arbitrary network connections.
Step 4: Attacker exfiltrates environment-injected database credentials, API keys, and reads filesystem paths accessible to the Deno service user.

Impact: Full bypass of Deno's permission sandbox, arbitrary filesystem read, environment variable theft, unrestricted outbound network access from the platform's IP range.