feat(permissions): allow env permission to take values (#9825)

author: crowlKats <13135287+crowlKats@users.noreply.github.com> 2021-04-13 13:25:21 +0200
committer: GitHub <noreply@github.com> 2021-04-13 13:25:21 +0200
commit: 8b59d9f7bc2ce4aa33b6b8ac41495c62d3791f3c (patch)
tree: 2dbbd97062244f65145e917ee6025e5ac595675a /cli/flags.rs
parent: ec1fce58d93de61462ddf0c9e9c58e6e844d2230 (diff)
1 files changed, 97 insertions, 18 deletions
diff --git a/cli/flags.rs b/cli/flags.rs
index 5feb46371..900214701 100644
--- a/cli/flags.rs
+++ b/cli/flags.rs
@@ -128,7 +128,7 @@ pub struct Flags {
   pub argv: Vec<String>,
   pub subcommand: DenoSubcommand,
 
-  pub allow_env: bool,
+  pub allow_env: Option<Vec<String>>,
   pub allow_hrtime: bool,
   pub allow_net: Option<Vec<String>>,
   pub allow_plugin: bool,
@@ -207,8 +207,15 @@ impl Flags {
       _ => {}
     }
 
-    if self.allow_env {
-      args.push("--allow-env".to_string());
+    match &self.allow_env {
+      Some(env_allowlist) if env_allowlist.is_empty() => {
+        args.push("--allow-env".to_string());
+      }
+      Some(env_allowlist) => {
+        let s = format!("--allow-env={}", env_allowlist.join(","));
+        args.push(s);
+      }
+      _ => {}
     }
 
     match &self.allow_run {
@@ -527,7 +534,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
   flags.repl = true;
   flags.subcommand = DenoSubcommand::Repl;
   flags.allow_net = Some(vec![]);
-  flags.allow_env = true;
+  flags.allow_env = Some(vec![]);
   flags.allow_run = Some(vec![]);
   flags.allow_read = Some(vec![]);
   flags.allow_write = Some(vec![]);
@@ -538,7 +545,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
 fn eval_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
   runtime_args_parse(flags, matches, false, true);
   flags.allow_net = Some(vec![]);
-  flags.allow_env = true;
+  flags.allow_env = Some(vec![]);
   flags.allow_run = Some(vec![]);
   flags.allow_read = Some(vec![]);
   flags.allow_write = Some(vec![]);
@@ -1402,7 +1409,19 @@ fn permission_args<'a, 'b>(app: App<'a, 'b>) -> App<'a, 'b> {
     .arg(
       Arg::with_name("allow-env")
         .long("allow-env")
-        .help("Allow environment access"),
+        .min_values(0)
+        .takes_value(true)
+        .use_delimiter(true)
+        .require_equals(true)
+        .help("Allow environment access")
+        .validator(|keys| {
+          for key in keys.split(',') {
+            if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
+              return Err(format!("invalid key \"{}\"", key));
+            }
+          }
+          Ok(())
+        }),
     )
     .arg(
       Arg::with_name("allow-run")
@@ -1826,15 +1845,26 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
     debug!("net allowlist: {:#?}", &flags.allow_net);
   }
 
+  if let Some(env_wl) = matches.values_of("allow-env") {
+    let env_allowlist: Vec<String> = env_wl
+      .map(|env: &str| {
+        if cfg!(windows) {
+          env.to_uppercase()
+        } else {
+          env.to_string()
+        }
+      })
+      .collect();
+    flags.allow_env = Some(env_allowlist);
+    debug!("env allowlist: {:#?}", &flags.allow_env);
+  }
+
   if let Some(run_wl) = matches.values_of("allow-run") {
     let run_allowlist: Vec<String> = run_wl.map(ToString::to_string).collect();
     flags.allow_run = Some(run_allowlist);
     debug!("run allowlist: {:#?}", &flags.allow_run);
   }
 
-  if matches.is_present("allow-env") {
-    flags.allow_env = true;
-  }
   if matches.is_present("allow-plugin") {
     flags.allow_plugin = true;
   }
@@ -1843,7 +1873,7 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
   }
   if matches.is_present("allow-all") {
     flags.allow_read = Some(vec![]);
-    flags.allow_env = true;
+    flags.allow_env = Some(vec![]);
     flags.allow_net = Some(vec![]);
     flags.allow_run = Some(vec![]);
     flags.allow_write = Some(vec![]);
@@ -2054,7 +2084,7 @@ mod tests {
           script: "gist.ts".to_string(),
         },
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2426,7 +2456,7 @@ mod tests {
           ext: "js".to_string(),
         },
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2449,7 +2479,7 @@ mod tests {
           ext: "js".to_string(),
         },
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2473,7 +2503,7 @@ mod tests {
           ext: "ts".to_string(),
         },
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2510,7 +2540,7 @@ mod tests {
         seed: Some(1),
         inspect: Some("127.0.0.1:9229".parse().unwrap()),
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2540,7 +2570,7 @@ mod tests {
         },
         argv: svec!["arg1", "arg2"],
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2560,7 +2590,7 @@ mod tests {
         repl: true,
         subcommand: DenoSubcommand::Repl,
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2594,7 +2624,7 @@ mod tests {
         seed: Some(1),
         inspect: Some("127.0.0.1:9229".parse().unwrap()),
         allow_net: Some(vec![]),
-        allow_env: true,
+        allow_env: Some(vec![]),
         allow_run: Some(vec![]),
         allow_read: Some(vec![]),
         allow_write: Some(vec![]),
@@ -2672,6 +2702,55 @@ mod tests {
   }
 
   #[test]
+  fn allow_env_allowlist() {
+    let r =
+      flags_from_vec(svec!["deno", "run", "--allow-env=HOME", "script.ts"]);
+    assert_eq!(
+      r.unwrap(),
+      Flags {
+        subcommand: DenoSubcommand::Run {
+          script: "script.ts".to_string(),
+        },
+        allow_env: Some(svec!["HOME"]),
+        ..Flags::default()
+      }
+    );
+  }
+
+  #[test]
+  fn allow_env_allowlist_multiple() {
+    let r = flags_from_vec(svec![
+      "deno",
+      "run",
+      "--allow-env=HOME,PATH",
+      "script.ts"
+    ]);
+    assert_eq!(
+      r.unwrap(),
+      Flags {
+        subcommand: DenoSubcommand::Run {
+          script: "script.ts".to_string(),
+        },
+        allow_env: Some(svec!["HOME", "PATH"]),
+        ..Flags::default()
+      }
+    );
+  }
+
+  #[test]
+  fn allow_env_allowlist_validator() {
+    let r =
+      flags_from_vec(svec!["deno", "run", "--allow-env=HOME", "script.ts"]);
+    assert!(r.is_ok());
+    let r =
+      flags_from_vec(svec!["deno", "run", "--allow-env=H=ME", "script.ts"]);
+    assert!(r.is_err());
+    let r =
+      flags_from_vec(svec!["deno", "run", "--allow-env=H\0ME", "script.ts"]);
+    assert!(r.is_err());
+  }
+
+  #[test]
   fn bundle() {
     let r = flags_from_vec(svec!["deno", "bundle", "source.ts"]);
     assert_eq!(
author	crowlKats <13135287+crowlKats@users.noreply.github.com>	2021-04-13 13:25:21 +0200
committer	GitHub <noreply@github.com>	2021-04-13 13:25:21 +0200
commit	8b59d9f7bc2ce4aa33b6b8ac41495c62d3791f3c (patch)
tree	2dbbd97062244f65145e917ee6025e5ac595675a /cli/flags.rs
parent	ec1fce58d93de61462ddf0c9e9c58e6e844d2230 (diff)