diff options
| author | crowlKats <13135287+crowlKats@users.noreply.github.com> | 2021-04-13 13:25:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-13 13:25:21 +0200 |
| commit | 8b59d9f7bc2ce4aa33b6b8ac41495c62d3791f3c (patch) | |
| tree | 2dbbd97062244f65145e917ee6025e5ac595675a /cli | |
| parent | ec1fce58d93de61462ddf0c9e9c58e6e844d2230 (diff) | |
feat(permissions): allow env permission to take values (#9825)
Diffstat (limited to 'cli')
| -rw-r--r-- | cli/dts/lib.deno.ns.d.ts | 1 | ||||
| -rw-r--r-- | cli/flags.rs | 115 |
2 files changed, 98 insertions, 18 deletions
diff --git a/cli/dts/lib.deno.ns.d.ts b/cli/dts/lib.deno.ns.d.ts index 9108f6dd6..738d0ba54 100644 --- a/cli/dts/lib.deno.ns.d.ts +++ b/cli/dts/lib.deno.ns.d.ts @@ -2164,6 +2164,7 @@ declare namespace Deno { export interface EnvPermissionDescriptor { name: "env"; + variable?: string; } export interface PluginPermissionDescriptor { diff --git a/cli/flags.rs b/cli/flags.rs index 5feb46371..900214701 100644 --- a/cli/flags.rs +++ b/cli/flags.rs @@ -128,7 +128,7 @@ pub struct Flags { pub argv: Vec<String>, pub subcommand: DenoSubcommand, - pub allow_env: bool, + pub allow_env: Option<Vec<String>>, pub allow_hrtime: bool, pub allow_net: Option<Vec<String>>, pub allow_plugin: bool, @@ -207,8 +207,15 @@ impl Flags { _ => {} } - if self.allow_env { - args.push("--allow-env".to_string()); + match &self.allow_env { + Some(env_allowlist) if env_allowlist.is_empty() => { + args.push("--allow-env".to_string()); + } + Some(env_allowlist) => { + let s = format!("--allow-env={}", env_allowlist.join(",")); + args.push(s); + } + _ => {} } match &self.allow_run { @@ -527,7 +534,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) { flags.repl = true; flags.subcommand = DenoSubcommand::Repl; flags.allow_net = Some(vec![]); - flags.allow_env = true; + flags.allow_env = Some(vec![]); flags.allow_run = Some(vec![]); flags.allow_read = Some(vec![]); flags.allow_write = Some(vec![]); @@ -538,7 +545,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) { fn eval_parse(flags: &mut Flags, matches: &clap::ArgMatches) { runtime_args_parse(flags, matches, false, true); flags.allow_net = Some(vec![]); - flags.allow_env = true; + flags.allow_env = Some(vec![]); flags.allow_run = Some(vec![]); flags.allow_read = Some(vec![]); flags.allow_write = Some(vec![]); @@ -1402,7 +1409,19 @@ fn permission_args<'a, 'b>(app: App<'a, 'b>) -> App<'a, 'b> { .arg( Arg::with_name("allow-env") .long("allow-env") - .help("Allow environment access"), + .min_values(0) + .takes_value(true) + .use_delimiter(true) + .require_equals(true) + .help("Allow environment access") + .validator(|keys| { + for key in keys.split(',') { + if key.is_empty() || key.contains(&['=', '\0'] as &[char]) { + return Err(format!("invalid key \"{}\"", key)); + } + } + Ok(()) + }), ) .arg( Arg::with_name("allow-run") @@ -1826,15 +1845,26 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) { debug!("net allowlist: {:#?}", &flags.allow_net); } + if let Some(env_wl) = matches.values_of("allow-env") { + let env_allowlist: Vec<String> = env_wl + .map(|env: &str| { + if cfg!(windows) { + env.to_uppercase() + } else { + env.to_string() + } + }) + .collect(); + flags.allow_env = Some(env_allowlist); + debug!("env allowlist: {:#?}", &flags.allow_env); + } + if let Some(run_wl) = matches.values_of("allow-run") { let run_allowlist: Vec<String> = run_wl.map(ToString::to_string).collect(); flags.allow_run = Some(run_allowlist); debug!("run allowlist: {:#?}", &flags.allow_run); } - if matches.is_present("allow-env") { - flags.allow_env = true; - } if matches.is_present("allow-plugin") { flags.allow_plugin = true; } @@ -1843,7 +1873,7 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) { } if matches.is_present("allow-all") { flags.allow_read = Some(vec![]); - flags.allow_env = true; + flags.allow_env = Some(vec![]); flags.allow_net = Some(vec![]); flags.allow_run = Some(vec![]); flags.allow_write = Some(vec![]); @@ -2054,7 +2084,7 @@ mod tests { script: "gist.ts".to_string(), }, allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2426,7 +2456,7 @@ mod tests { ext: "js".to_string(), }, allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2449,7 +2479,7 @@ mod tests { ext: "js".to_string(), }, allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2473,7 +2503,7 @@ mod tests { ext: "ts".to_string(), }, allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2510,7 +2540,7 @@ mod tests { seed: Some(1), inspect: Some("127.0.0.1:9229".parse().unwrap()), allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2540,7 +2570,7 @@ mod tests { }, argv: svec!["arg1", "arg2"], allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2560,7 +2590,7 @@ mod tests { repl: true, subcommand: DenoSubcommand::Repl, allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2594,7 +2624,7 @@ mod tests { seed: Some(1), inspect: Some("127.0.0.1:9229".parse().unwrap()), allow_net: Some(vec![]), - allow_env: true, + allow_env: Some(vec![]), allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), @@ -2672,6 +2702,55 @@ mod tests { } #[test] + fn allow_env_allowlist() { + let r = + flags_from_vec(svec!["deno", "run", "--allow-env=HOME", "script.ts"]); + assert_eq!( + r.unwrap(), + Flags { + subcommand: DenoSubcommand::Run { + script: "script.ts".to_string(), + }, + allow_env: Some(svec!["HOME"]), + ..Flags::default() + } + ); + } + + #[test] + fn allow_env_allowlist_multiple() { + let r = flags_from_vec(svec![ + "deno", + "run", + "--allow-env=HOME,PATH", + "script.ts" + ]); + assert_eq!( + r.unwrap(), + Flags { + subcommand: DenoSubcommand::Run { + script: "script.ts".to_string(), + }, + allow_env: Some(svec!["HOME", "PATH"]), + ..Flags::default() + } + ); + } + + #[test] + fn allow_env_allowlist_validator() { + let r = + flags_from_vec(svec!["deno", "run", "--allow-env=HOME", "script.ts"]); + assert!(r.is_ok()); + let r = + flags_from_vec(svec!["deno", "run", "--allow-env=H=ME", "script.ts"]); + assert!(r.is_err()); + let r = + flags_from_vec(svec!["deno", "run", "--allow-env=H\0ME", "script.ts"]); + assert!(r.is_err()); + } + + #[test] fn bundle() { let r = flags_from_vec(svec!["deno", "bundle", "source.ts"]); assert_eq!( |