diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2022-04-17 17:47:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-17 17:47:24 +0200 |
| commit | 9c5928b5aa3716f7441694da24982cecacb7a061 (patch) | |
| tree | 0c3e750337774162dfb2910cf462b9b7e0b8d4ba | |
| parent | 19bb82aa40eabd9a06ba6650558653ec88d19a96 (diff) | |
fix: panic when trying to pledge permissions before restoring previous pledge (#14306)
This commit fixes and edge case, where testing/benching code could pledge new
permission set before restoring the previous pledge.
Appropriate panics were added and tests that assert that process is killed
in case of "recursive pledge".
| -rw-r--r-- | cli/ops/bench.rs | 4 | ||||
| -rw-r--r-- | cli/ops/testing.rs | 3 | ||||
| -rw-r--r-- | cli/tests/integration/bench_tests.rs | 19 | ||||
| -rw-r--r-- | cli/tests/integration/test_tests.rs | 18 | ||||
| -rw-r--r-- | cli/tests/testdata/bench/recursive_permissions_pledge.js | 8 | ||||
| -rw-r--r-- | cli/tests/testdata/test/recursive_permissions_pledge.js | 8 |
6 files changed, 60 insertions, 0 deletions
diff --git a/cli/ops/bench.rs b/cli/ops/bench.rs index ea040b4a5..6f4b80974 100644 --- a/cli/ops/bench.rs +++ b/cli/ops/bench.rs @@ -63,6 +63,10 @@ pub fn op_pledge_test_permissions( let worker_permissions = create_child_permissions(parent_permissions, args)?; let parent_permissions = parent_permissions.clone(); + if state.try_take::<PermissionsHolder>().is_some() { + panic!("pledge test permissions called before restoring previous pledge"); + } + state.put::<PermissionsHolder>(PermissionsHolder(token, parent_permissions)); // NOTE: This call overrides current permission set for the worker diff --git a/cli/ops/testing.rs b/cli/ops/testing.rs index 16544dd98..3a57d307b 100644 --- a/cli/ops/testing.rs +++ b/cli/ops/testing.rs @@ -122,6 +122,9 @@ pub fn op_pledge_test_permissions( let worker_permissions = create_child_permissions(parent_permissions, args)?; let parent_permissions = parent_permissions.clone(); + if state.try_take::<PermissionsHolder>().is_some() { + panic!("pledge test permissions called before restoring previous pledge"); + } state.put::<PermissionsHolder>(PermissionsHolder(token, parent_permissions)); // NOTE: This call overrides current permission set for the worker diff --git a/cli/tests/integration/bench_tests.rs b/cli/tests/integration/bench_tests.rs index 2df08bdb5..7b4fbb0a5 100644 --- a/cli/tests/integration/bench_tests.rs +++ b/cli/tests/integration/bench_tests.rs @@ -1,6 +1,7 @@ // Copyright 2018-2022 the Deno authors. All rights reserved. MIT license. use crate::itest; +use test_util as util; itest!(requires_unstable { args: "bench bench/requires_unstable.js", @@ -139,3 +140,21 @@ itest!(no_prompt_with_denied_perms { exit_code: 1, output: "bench/no_prompt_with_denied_perms.out", }); + +#[test] +fn recursive_permissions_pledge() { + let output = util::deno_cmd() + .current_dir(util::testdata_path()) + .arg("bench") + .arg("--unstable") + .arg("bench/recursive_permissions_pledge.js") + .stderr(std::process::Stdio::piped()) + .spawn() + .unwrap() + .wait_with_output() + .unwrap(); + assert!(!output.status.success()); + assert!(String::from_utf8(output.stderr).unwrap().contains( + "pledge test permissions called before restoring previous pledge" + )); +} diff --git a/cli/tests/integration/test_tests.rs b/cli/tests/integration/test_tests.rs index 6a0d5c1ab..bac50f16d 100644 --- a/cli/tests/integration/test_tests.rs +++ b/cli/tests/integration/test_tests.rs @@ -298,3 +298,21 @@ itest!(no_prompt_with_denied_perms { exit_code: 1, output: "test/no_prompt_with_denied_perms.out", }); + +#[test] +fn recursive_permissions_pledge() { + let output = util::deno_cmd() + .current_dir(util::testdata_path()) + .arg("test") + .arg("test/recursive_permissions_pledge.js") + .stderr(std::process::Stdio::piped()) + .stdout(std::process::Stdio::piped()) + .spawn() + .unwrap() + .wait_with_output() + .unwrap(); + assert!(!output.status.success()); + assert!(String::from_utf8(output.stderr).unwrap().contains( + "pledge test permissions called before restoring previous pledge" + )); +} diff --git a/cli/tests/testdata/bench/recursive_permissions_pledge.js b/cli/tests/testdata/bench/recursive_permissions_pledge.js new file mode 100644 index 000000000..dcdcbf574 --- /dev/null +++ b/cli/tests/testdata/bench/recursive_permissions_pledge.js @@ -0,0 +1,8 @@ +Deno.core.opSync( + "op_pledge_test_permissions", + "none", +); +Deno.core.opSync( + "op_pledge_test_permissions", + "inherit", +); diff --git a/cli/tests/testdata/test/recursive_permissions_pledge.js b/cli/tests/testdata/test/recursive_permissions_pledge.js new file mode 100644 index 000000000..dcdcbf574 --- /dev/null +++ b/cli/tests/testdata/test/recursive_permissions_pledge.js @@ -0,0 +1,8 @@ +Deno.core.opSync( + "op_pledge_test_permissions", + "none", +); +Deno.core.opSync( + "op_pledge_test_permissions", + "inherit", +); |