feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret <dsherret@gmail.com>
author: Bartek Iwańczuk <biwanczuk@gmail.com> 2024-09-26 02:50:54 +0100
committer: GitHub <noreply@github.com> 2024-09-26 01:50:54 +0000
commit: 5504acea6751480f1425c88353ad5d36257bdce7 (patch)
tree: fa02e6c546eae469aac894bfc71600ab4eccad28 /cli/worker.rs
parent: 05415bb9de475aa8646985a545f30fe93136207e (diff)
1 files changed, 9 insertions, 12 deletions
diff --git a/cli/worker.rs b/cli/worker.rs
index 6176398d5..861419f1e 100644
--- a/cli/worker.rs
+++ b/cli/worker.rs
@@ -62,13 +62,12 @@ pub trait ModuleLoaderFactory: Send + Sync {
   fn create_for_main(
     &self,
     root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
   ) -> ModuleLoaderAndSourceMapGetter;
 
   fn create_for_worker(
     &self,
-    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
+    parent_permissions: PermissionsContainer,
+    permissions: PermissionsContainer,
   ) -> ModuleLoaderAndSourceMapGetter;
 }
 
@@ -136,6 +135,7 @@ struct SharedWorkerState {
   npm_resolver: Arc<dyn CliNpmResolver>,
   permission_desc_parser: Arc<RuntimePermissionDescriptorParser>,
   root_cert_store_provider: Arc<dyn RootCertStoreProvider>,
+  root_permissions: PermissionsContainer,
   shared_array_buffer_store: SharedArrayBufferStore,
   storage_key_resolver: StorageKeyResolver,
   options: CliMainWorkerOptions,
@@ -432,6 +432,7 @@ impl CliMainWorkerFactory {
     npm_resolver: Arc<dyn CliNpmResolver>,
     permission_parser: Arc<RuntimePermissionDescriptorParser>,
     root_cert_store_provider: Arc<dyn RootCertStoreProvider>,
+    root_permissions: PermissionsContainer,
     storage_key_resolver: StorageKeyResolver,
     subcommand: DenoSubcommand,
     options: CliMainWorkerOptions,
@@ -452,6 +453,7 @@ impl CliMainWorkerFactory {
         npm_resolver,
         permission_desc_parser: permission_parser,
         root_cert_store_provider,
+        root_permissions,
         shared_array_buffer_store: Default::default(),
         storage_key_resolver,
         options,
@@ -464,13 +466,12 @@ impl CliMainWorkerFactory {
     &self,
     mode: WorkerExecutionMode,
     main_module: ModuleSpecifier,
-    permissions: PermissionsContainer,
   ) -> Result<CliMainWorker, AnyError> {
     self
       .create_custom_worker(
         mode,
         main_module,
-        permissions,
+        self.shared.root_permissions.clone(),
         vec![],
         Default::default(),
       )
@@ -530,13 +531,9 @@ impl CliMainWorkerFactory {
       (main_module, is_cjs)
     };
 
-    let ModuleLoaderAndSourceMapGetter { module_loader } =
-      shared.module_loader_factory.create_for_main(
-        PermissionsContainer::allow_all(
-          self.shared.permission_desc_parser.clone(),
-        ),
-        permissions.clone(),
-      );
+    let ModuleLoaderAndSourceMapGetter { module_loader } = shared
+      .module_loader_factory
+      .create_for_main(permissions.clone());
     let maybe_inspector_server = shared.maybe_inspector_server.clone();
 
     let create_web_worker_cb =
author	Bartek Iwańczuk <biwanczuk@gmail.com>	2024-09-26 02:50:54 +0100
committer	GitHub <noreply@github.com>	2024-09-26 01:50:54 +0000
commit	5504acea6751480f1425c88353ad5d36257bdce7 (patch)
tree	fa02e6c546eae469aac894bfc71600ab4eccad28 /cli/worker.rs
parent	05415bb9de475aa8646985a545f30fe93136207e (diff)