diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2020-05-11 13:13:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-11 13:13:27 +0200 |
| commit | 32aeec9630dc91162f0408b95dd86e1c26e4c1d3 (patch) | |
| tree | f93d8e6b665df0c3054dba56973712412916493e /cli/ops | |
| parent | 0d148c6e80583dfe029d5362f61b92334a22341a (diff) | |
refactor: check permissions in SourceFileFetcher (#5011)
This PR hot-fixes permission escapes in dynamic imports, workers
and runtime compiler APIs.
"permissions" parameter was added to public APIs of SourceFileFetcher
and appropriate permission checks are performed during loading of
local and remote files.
Diffstat (limited to 'cli/ops')
| -rw-r--r-- | cli/ops/compiler.rs | 15 | ||||
| -rw-r--r-- | cli/ops/runtime_compiler.rs | 12 |
2 files changed, 21 insertions, 6 deletions
diff --git a/cli/ops/compiler.rs b/cli/ops/compiler.rs index 83b6d944c..b84401187 100644 --- a/cli/ops/compiler.rs +++ b/cli/ops/compiler.rs @@ -69,7 +69,11 @@ fn op_fetch_source_files( None }; - let global_state = state.borrow().global_state.clone(); + let s = state.borrow(); + let global_state = s.global_state.clone(); + let permissions = s.permissions.clone(); + let perms_ = permissions.clone(); + drop(s); let file_fetcher = global_state.file_fetcher.clone(); let specifiers = args.specifiers.clone(); let future = async move { @@ -78,6 +82,7 @@ fn op_fetch_source_files( .map(|specifier| { let file_fetcher_ = file_fetcher.clone(); let ref_specifier_ = ref_specifier.clone(); + let perms_ = perms_.clone(); async move { let resolved_specifier = ModuleSpecifier::resolve_url(&specifier) .expect("Invalid specifier"); @@ -100,7 +105,7 @@ fn op_fetch_source_files( } } file_fetcher_ - .fetch_source_file(&resolved_specifier, ref_specifier_) + .fetch_source_file(&resolved_specifier, ref_specifier_, perms_) .await } .boxed_local() @@ -118,7 +123,11 @@ fn op_fetch_source_files( let types_specifier = ModuleSpecifier::from(types_url); global_state .file_fetcher - .fetch_source_file(&types_specifier, ref_specifier.clone()) + .fetch_source_file( + &types_specifier, + ref_specifier.clone(), + permissions.clone(), + ) .await .map_err(OpError::from)? } diff --git a/cli/ops/runtime_compiler.rs b/cli/ops/runtime_compiler.rs index e44d6fa8b..f3b741861 100644 --- a/cli/ops/runtime_compiler.rs +++ b/cli/ops/runtime_compiler.rs @@ -30,10 +30,13 @@ fn op_compile( ) -> Result<JsonOp, OpError> { state.check_unstable("Deno.compile"); let args: CompileArgs = serde_json::from_value(args)?; - let global_state = state.borrow().global_state.clone(); + let s = state.borrow(); + let global_state = s.global_state.clone(); + let permissions = s.permissions.clone(); let fut = async move { runtime_compile( global_state, + permissions, &args.root_name, &args.sources, args.bundle, @@ -58,9 +61,12 @@ fn op_transpile( ) -> Result<JsonOp, OpError> { state.check_unstable("Deno.transpile"); let args: TranspileArgs = serde_json::from_value(args)?; - let global_state = state.borrow().global_state.clone(); + let s = state.borrow(); + let global_state = s.global_state.clone(); + let permissions = s.permissions.clone(); let fut = async move { - runtime_transpile(global_state, &args.sources, &args.options).await + runtime_transpile(global_state, permissions, &args.sources, &args.options) + .await } .boxed_local(); Ok(JsonOp::Async(fut)) |