diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2024-09-26 02:50:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-26 01:50:54 +0000 |
| commit | 5504acea6751480f1425c88353ad5d36257bdce7 (patch) | |
| tree | fa02e6c546eae469aac894bfc71600ab4eccad28 /cli/factory.rs | |
| parent | 05415bb9de475aa8646985a545f30fe93136207e (diff) | |
feat: add `--allow-import` flag (#25469)
This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.
By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.
Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:
```ts
deno run -A -r https://fresh.deno.dev
```
---------
Co-authored-by: David Sherret <dsherret@gmail.com>
Diffstat (limited to 'cli/factory.rs')
| -rw-r--r-- | cli/factory.rs | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/cli/factory.rs b/cli/factory.rs index 0f49546d0..8aea635d2 100644 --- a/cli/factory.rs +++ b/cli/factory.rs @@ -185,6 +185,7 @@ struct CliFactoryServices { node_resolver: Deferred<Arc<NodeResolver>>, npm_resolver: Deferred<Arc<dyn CliNpmResolver>>, permission_desc_parser: Deferred<Arc<RuntimePermissionDescriptorParser>>, + root_permissions_container: Deferred<PermissionsContainer>, sloppy_imports_resolver: Deferred<Option<Arc<SloppyImportsResolver>>>, text_only_progress_bar: Deferred<ProgressBar>, type_checker: Deferred<Arc<TypeChecker>>, @@ -626,6 +627,7 @@ impl CliFactory { self.maybe_file_watcher_reporter().clone(), self.file_fetcher()?.clone(), self.global_http_cache()?.clone(), + self.root_permissions_container()?.clone(), ))) }) .await @@ -659,6 +661,7 @@ impl CliFactory { Ok(Arc::new(MainModuleGraphContainer::new( self.cli_options()?.clone(), self.module_load_preparer().await?.clone(), + self.root_permissions_container()?.clone(), ))) }) .await @@ -755,15 +758,20 @@ impl CliFactory { )) } - pub fn create_permissions_container( + pub fn root_permissions_container( &self, - ) -> Result<PermissionsContainer, AnyError> { - let desc_parser = self.permission_desc_parser()?.clone(); - let permissions = Permissions::from_options( - desc_parser.as_ref(), - &self.cli_options()?.permissions_options(), - )?; - Ok(PermissionsContainer::new(desc_parser, permissions)) + ) -> Result<&PermissionsContainer, AnyError> { + self + .services + .root_permissions_container + .get_or_try_init(|| { + let desc_parser = self.permission_desc_parser()?.clone(); + let permissions = Permissions::from_options( + desc_parser.as_ref(), + &self.cli_options()?.permissions_options(), + )?; + Ok(PermissionsContainer::new(desc_parser, permissions)) + }) } pub async fn create_cli_main_worker_factory( @@ -816,6 +824,7 @@ impl CliFactory { npm_resolver.clone(), self.permission_desc_parser()?.clone(), self.root_cert_store_provider().clone(), + self.root_permissions_container()?.clone(), StorageKeyResolver::from_options(cli_options), cli_options.sub_command().clone(), self.create_cli_main_worker_options()?, |