diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-10-03 11:05:46 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-03 10:05:46 +0000 |
| commit | ac73b1042b4dda6416ad82d5468c57de6d53d038 (patch) | |
| tree | a86ab00b1d52c3b3a59c2e6d84d58165b3623a5f /cli/args | |
| parent | f5caf9dd1b0f612e2a03e802d4dca41cb13a006b (diff) | |
feat(permissions): allow importing from cdn.jsdelivr.net by default (#26013)
The exploit `--allow-import` is preventing against requires a
compromised host. To make things easier and given its popularity, we're
going to have the default `--allow-import` value include
`cdn.jsdelivr.net:443`, but this can be overridden by replacing the
`--allow-import` value with something else.
Diffstat (limited to 'cli/args')
| -rw-r--r-- | cli/args/flags.rs | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/cli/args/flags.rs b/cli/args/flags.rs index a4dcb9e91..06ce50783 100644 --- a/cli/args/flags.rs +++ b/cli/args/flags.rs @@ -696,9 +696,10 @@ impl PermissionFlags { } let builtin_allowed_import_hosts = [ + "jsr.io:443", "deno.land:443", "esm.sh:443", - "jsr.io:443", + "cdn.jsdelivr.net:443", "raw.githubusercontent.com:443", "gist.githubusercontent.com:443", ]; @@ -3261,7 +3262,7 @@ fn permission_args(app: Command, requires: Option<&'static str>) -> Command { <g>-W, --allow-write[=<<PATH>...]</> Allow file system write access. Optionally specify allowed paths. <p(245)>--allow-write | --allow-write="/etc,/var/log.txt"</> <g>-I, --allow-import[=<<IP_OR_HOSTNAME>...]</> Allow importing from remote hosts. Optionally specify allowed IP addresses and host names, with ports as necessary. - Default value: <p(245)>deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,user.githubusercontent.com:443</> + Default value: <p(245)>deno.land:443,jsr.io:443,esm.sh:443,cdn.jsdelivr.net:443,raw.githubusercontent.com:443,user.githubusercontent.com:443</> <p(245)>--allow-import | --allow-import="example.com,github.com"</> <g>-N, --allow-net[=<<IP_OR_HOSTNAME>...]</> Allow network access. Optionally specify allowed IP addresses and host names, with ports as necessary. <p(245)>--allow-net | --allow-net="localhost:8080,deno.land"</> @@ -3671,7 +3672,7 @@ fn allow_import_arg() -> Arg { .require_equals(true) .value_name("IP_OR_HOSTNAME") .help(cstr!( - "Allow importing from remote hosts. Optionally specify allowed IP addresses and host names, with ports as necessary. Default value: <p(245)>deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,user.githubusercontent.com:443</>" + "Allow importing from remote hosts. Optionally specify allowed IP addresses and host names, with ports as necessary. Default value: <p(245)>deno.land:443,jsr.io:443,esm.sh:443,cdn.jsdelivr.net:443,raw.githubusercontent.com:443,user.githubusercontent.com:443</>" )) .value_parser(flags_net::validator) } |