feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

1 files changed, 3 insertions, 14 deletions

diff --git a/cli/tools/serve.rs b/cli/tools/serve.rs
index 2f553cf1e..4ce1cad6f 100644
--- a/cli/tools/serve.rs
+++ b/cli/tools/serve.rs
@@ -5,7 +5,6 @@ use std::sync::Arc;
 use deno_core::error::AnyError;
 use deno_core::futures::TryFutureExt;
 use deno_core::ModuleSpecifier;
-use deno_runtime::deno_permissions::PermissionsContainer;
 
 use super::run::check_permission_before_script;
 use super::run::maybe_npm_install;
@@ -44,13 +43,11 @@ pub async fn serve(
 
   maybe_npm_install(&factory).await?;
 
-  let permissions = factory.create_permissions_container()?;
   let worker_factory = factory.create_cli_main_worker_factory().await?;
 
   do_serve(
     worker_factory,
-    main_module,
-    permissions,
+    main_module.clone(),
     serve_flags.worker_count,
     false,
   )
@@ -60,7 +57,6 @@ pub async fn serve(
 async fn do_serve(
   worker_factory: CliMainWorkerFactory,
   main_module: ModuleSpecifier,
-  permissions: PermissionsContainer,
   worker_count: Option<usize>,
   hmr: bool,
 ) -> Result<i32, AnyError> {
@@ -71,7 +67,6 @@ async fn do_serve(
         worker_count,
       },
       main_module.clone(),
-      permissions.clone(),
     )
     .await?;
   let worker_count = match worker_count {
@@ -87,15 +82,13 @@ async fn do_serve(
   for i in 0..extra_workers {
     let worker_factory = worker_factory.clone();
     let main_module = main_module.clone();
-    let permissions = permissions.clone();
     let (tx, rx) = tokio::sync::oneshot::channel();
     channels.push(rx);
     std::thread::Builder::new()
       .name(format!("serve-worker-{i}"))
       .spawn(move || {
         deno_runtime::tokio_util::create_and_run_current_thread(async move {
-          let result =
-            run_worker(i, worker_factory, main_module, permissions, hmr).await;
+          let result = run_worker(i, worker_factory, main_module, hmr).await;
           let _ = tx.send(result);
         });
       })?;
@@ -124,7 +117,6 @@ async fn run_worker(
   worker_count: usize,
   worker_factory: CliMainWorkerFactory,
   main_module: ModuleSpecifier,
-  permissions: PermissionsContainer,
   hmr: bool,
 ) -> Result<i32, AnyError> {
   let mut worker = worker_factory
@@ -134,7 +126,6 @@ async fn run_worker(
         worker_count: Some(worker_count),
       },
       main_module,
-      permissions,
     )
     .await?;
   if hmr {
@@ -171,11 +162,9 @@ async fn serve_with_watch(
         maybe_npm_install(&factory).await?;
 
         let _ = watcher_communicator.watch_paths(cli_options.watch_paths());
-
-        let permissions = factory.create_permissions_container()?;
         let worker_factory = factory.create_cli_main_worker_factory().await?;
 
-        do_serve(worker_factory, main_module, permissions, worker_count, hmr)
+        do_serve(worker_factory, main_module.clone(), worker_count, hmr)
           .await?;
 
         Ok(())