diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2024-09-26 02:50:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-26 01:50:54 +0000 |
| commit | 5504acea6751480f1425c88353ad5d36257bdce7 (patch) | |
| tree | fa02e6c546eae469aac894bfc71600ab4eccad28 /cli/tools/run/mod.rs | |
| parent | 05415bb9de475aa8646985a545f30fe93136207e (diff) | |
feat: add `--allow-import` flag (#25469)
This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.
By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.
Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:
```ts
deno run -A -r https://fresh.deno.dev
```
---------
Co-authored-by: David Sherret <dsherret@gmail.com>
Diffstat (limited to 'cli/tools/run/mod.rs')
| -rw-r--r-- | cli/tools/run/mod.rs | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/cli/tools/run/mod.rs b/cli/tools/run/mod.rs index 200644490..152e2650b 100644 --- a/cli/tools/run/mod.rs +++ b/cli/tools/run/mod.rs @@ -60,10 +60,9 @@ pub async fn run_script( maybe_npm_install(&factory).await?; - let permissions = factory.create_permissions_container()?; let worker_factory = factory.create_cli_main_worker_factory().await?; let mut worker = worker_factory - .create_main_worker(mode, main_module, permissions) + .create_main_worker(mode, main_module.clone()) .await?; let exit_code = worker.run().await?; @@ -79,7 +78,6 @@ pub async fn run_from_stdin(flags: Arc<Flags>) -> Result<i32, AnyError> { let file_fetcher = factory.file_fetcher()?; let worker_factory = factory.create_cli_main_worker_factory().await?; - let permissions = factory.create_permissions_container()?; let mut source = Vec::new(); std::io::stdin().read_to_end(&mut source)?; // Save a fake file into file fetcher cache @@ -91,7 +89,7 @@ pub async fn run_from_stdin(flags: Arc<Flags>) -> Result<i32, AnyError> { }); let mut worker = worker_factory - .create_main_worker(WorkerExecutionMode::Run, main_module, permissions) + .create_main_worker(WorkerExecutionMode::Run, main_module.clone()) .await?; let exit_code = worker.run().await?; Ok(exit_code) @@ -125,11 +123,10 @@ async fn run_with_watch( let _ = watcher_communicator.watch_paths(cli_options.watch_paths()); - let permissions = factory.create_permissions_container()?; let mut worker = factory .create_cli_main_worker_factory() .await? - .create_main_worker(mode, main_module, permissions) + .create_main_worker(mode, main_module.clone()) .await?; if watch_flags.hmr { @@ -173,10 +170,9 @@ pub async fn eval_command( source: source_code.into_bytes().into(), }); - let permissions = factory.create_permissions_container()?; let worker_factory = factory.create_cli_main_worker_factory().await?; let mut worker = worker_factory - .create_main_worker(WorkerExecutionMode::Eval, main_module, permissions) + .create_main_worker(WorkerExecutionMode::Eval, main_module.clone()) .await?; let exit_code = worker.run().await?; Ok(exit_code) |