diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2022-04-17 17:47:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-17 17:47:24 +0200 |
| commit | 9c5928b5aa3716f7441694da24982cecacb7a061 (patch) | |
| tree | 0c3e750337774162dfb2910cf462b9b7e0b8d4ba /cli | |
| parent | 19bb82aa40eabd9a06ba6650558653ec88d19a96 (diff) | |
fix: panic when trying to pledge permissions before restoring previous pledge (#14306)
This commit fixes and edge case, where testing/benching code could pledge new
permission set before restoring the previous pledge.
Appropriate panics were added and tests that assert that process is killed
in case of "recursive pledge".
Diffstat (limited to 'cli')
| -rw-r--r-- | cli/ops/bench.rs | 4 | ||||
| -rw-r--r-- | cli/ops/testing.rs | 3 | ||||
| -rw-r--r-- | cli/tests/integration/bench_tests.rs | 19 | ||||
| -rw-r--r-- | cli/tests/integration/test_tests.rs | 18 | ||||
| -rw-r--r-- | cli/tests/testdata/bench/recursive_permissions_pledge.js | 8 | ||||
| -rw-r--r-- | cli/tests/testdata/test/recursive_permissions_pledge.js | 8 |
6 files changed, 60 insertions, 0 deletions
diff --git a/cli/ops/bench.rs b/cli/ops/bench.rs index ea040b4a5..6f4b80974 100644 --- a/cli/ops/bench.rs +++ b/cli/ops/bench.rs @@ -63,6 +63,10 @@ pub fn op_pledge_test_permissions( let worker_permissions = create_child_permissions(parent_permissions, args)?; let parent_permissions = parent_permissions.clone(); + if state.try_take::<PermissionsHolder>().is_some() { + panic!("pledge test permissions called before restoring previous pledge"); + } + state.put::<PermissionsHolder>(PermissionsHolder(token, parent_permissions)); // NOTE: This call overrides current permission set for the worker diff --git a/cli/ops/testing.rs b/cli/ops/testing.rs index 16544dd98..3a57d307b 100644 --- a/cli/ops/testing.rs +++ b/cli/ops/testing.rs @@ -122,6 +122,9 @@ pub fn op_pledge_test_permissions( let worker_permissions = create_child_permissions(parent_permissions, args)?; let parent_permissions = parent_permissions.clone(); + if state.try_take::<PermissionsHolder>().is_some() { + panic!("pledge test permissions called before restoring previous pledge"); + } state.put::<PermissionsHolder>(PermissionsHolder(token, parent_permissions)); // NOTE: This call overrides current permission set for the worker diff --git a/cli/tests/integration/bench_tests.rs b/cli/tests/integration/bench_tests.rs index 2df08bdb5..7b4fbb0a5 100644 --- a/cli/tests/integration/bench_tests.rs +++ b/cli/tests/integration/bench_tests.rs @@ -1,6 +1,7 @@ // Copyright 2018-2022 the Deno authors. All rights reserved. MIT license. use crate::itest; +use test_util as util; itest!(requires_unstable { args: "bench bench/requires_unstable.js", @@ -139,3 +140,21 @@ itest!(no_prompt_with_denied_perms { exit_code: 1, output: "bench/no_prompt_with_denied_perms.out", }); + +#[test] +fn recursive_permissions_pledge() { + let output = util::deno_cmd() + .current_dir(util::testdata_path()) + .arg("bench") + .arg("--unstable") + .arg("bench/recursive_permissions_pledge.js") + .stderr(std::process::Stdio::piped()) + .spawn() + .unwrap() + .wait_with_output() + .unwrap(); + assert!(!output.status.success()); + assert!(String::from_utf8(output.stderr).unwrap().contains( + "pledge test permissions called before restoring previous pledge" + )); +} diff --git a/cli/tests/integration/test_tests.rs b/cli/tests/integration/test_tests.rs index 6a0d5c1ab..bac50f16d 100644 --- a/cli/tests/integration/test_tests.rs +++ b/cli/tests/integration/test_tests.rs @@ -298,3 +298,21 @@ itest!(no_prompt_with_denied_perms { exit_code: 1, output: "test/no_prompt_with_denied_perms.out", }); + +#[test] +fn recursive_permissions_pledge() { + let output = util::deno_cmd() + .current_dir(util::testdata_path()) + .arg("test") + .arg("test/recursive_permissions_pledge.js") + .stderr(std::process::Stdio::piped()) + .stdout(std::process::Stdio::piped()) + .spawn() + .unwrap() + .wait_with_output() + .unwrap(); + assert!(!output.status.success()); + assert!(String::from_utf8(output.stderr).unwrap().contains( + "pledge test permissions called before restoring previous pledge" + )); +} diff --git a/cli/tests/testdata/bench/recursive_permissions_pledge.js b/cli/tests/testdata/bench/recursive_permissions_pledge.js new file mode 100644 index 000000000..dcdcbf574 --- /dev/null +++ b/cli/tests/testdata/bench/recursive_permissions_pledge.js @@ -0,0 +1,8 @@ +Deno.core.opSync( + "op_pledge_test_permissions", + "none", +); +Deno.core.opSync( + "op_pledge_test_permissions", + "inherit", +); diff --git a/cli/tests/testdata/test/recursive_permissions_pledge.js b/cli/tests/testdata/test/recursive_permissions_pledge.js new file mode 100644 index 000000000..dcdcbf574 --- /dev/null +++ b/cli/tests/testdata/test/recursive_permissions_pledge.js @@ -0,0 +1,8 @@ +Deno.core.opSync( + "op_pledge_test_permissions", + "none", +); +Deno.core.opSync( + "op_pledge_test_permissions", + "inherit", +); |