feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

1 files changed, 19 insertions, 29 deletions

diff --git a/cli/file_fetcher.rs b/cli/file_fetcher.rs
index 2f4b0b3dc..ca1144939 100644
--- a/cli/file_fetcher.rs
+++ b/cli/file_fetcher.rs
@@ -23,6 +23,7 @@ use deno_graph::source::LoaderChecksum;
 
 use deno_runtime::deno_permissions::PermissionsContainer;
 use deno_runtime::deno_web::BlobStore;
+use deno_runtime::fs_util::specifier_to_file_path;
 use log::debug;
 use std::borrow::Cow;
 use std::collections::HashMap;
@@ -135,7 +136,7 @@ impl MemoryFiles {
 
 /// Fetch a source file from the local file system.
 fn fetch_local(specifier: &ModuleSpecifier) -> Result<File, AnyError> {
-  let local = specifier.to_file_path().map_err(|_| {
+  let local = specifier_to_file_path(specifier).map_err(|_| {
     uri_error(format!("Invalid file path.\n  Specifier: {specifier}"))
   })?;
   // If it doesnt have a extension, we want to treat it as typescript by default
@@ -173,30 +174,8 @@ fn get_validated_scheme(
 #[derive(Debug, Copy, Clone)]
 pub enum FetchPermissionsOptionRef<'a> {
   AllowAll,
-  Container(&'a PermissionsContainer),
-}
-
-#[derive(Debug, Clone)]
-pub enum FetchPermissionsOption {
-  AllowAll,
-  Container(PermissionsContainer),
-}
-
-impl FetchPermissionsOption {
-  pub fn as_ref(&self) -> FetchPermissionsOptionRef {
-    match self {
-      FetchPermissionsOption::AllowAll => FetchPermissionsOptionRef::AllowAll,
-      FetchPermissionsOption::Container(container) => {
-        FetchPermissionsOptionRef::Container(container)
-      }
-    }
-  }
-}
-
-impl From<PermissionsContainer> for FetchPermissionsOption {
-  fn from(value: PermissionsContainer) -> Self {
-    Self::Container(value)
-  }
+  DynamicContainer(&'a PermissionsContainer),
+  StaticContainer(&'a PermissionsContainer),
 }
 
 pub struct FetchOptions<'a> {
@@ -564,7 +543,6 @@ impl FileFetcher {
   }
 
   /// Fetch a source file and asynchronously return it.
-  #[allow(dead_code)] // todo(25469): undo when merging
   #[inline(always)]
   pub async fn fetch(
     &self,
@@ -572,7 +550,10 @@ impl FileFetcher {
     permissions: &PermissionsContainer,
   ) -> Result<File, AnyError> {
     self
-      .fetch_inner(specifier, FetchPermissionsOptionRef::Container(permissions))
+      .fetch_inner(
+        specifier,
+        FetchPermissionsOptionRef::StaticContainer(permissions),
+      )
       .await
   }
 
@@ -647,8 +628,17 @@ impl FileFetcher {
       FetchPermissionsOptionRef::AllowAll => {
         // allow
       }
-      FetchPermissionsOptionRef::Container(permissions) => {
-        permissions.check_specifier(specifier)?;
+      FetchPermissionsOptionRef::StaticContainer(permissions) => {
+        permissions.check_specifier(
+          specifier,
+          deno_runtime::deno_permissions::CheckSpecifierKind::Static,
+        )?;
+      }
+      FetchPermissionsOptionRef::DynamicContainer(permissions) => {
+        permissions.check_specifier(
+          specifier,
+          deno_runtime::deno_permissions::CheckSpecifierKind::Dynamic,
+        )?;
       }
     }
     if let Some(file) = self.memory_files.get(specifier) {