diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-09-16 21:39:37 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-16 21:39:37 +0100 |
| commit | 62e952559f600e72d7498c9b12f906cb0b1ba150 (patch) | |
| tree | 6dbcce6592973358ef4bf6341888b0bbbdb98cc5 /runtime/ops/process.rs | |
| parent | e0b9c745c15720914f14996bf357d5b375e2dbd8 (diff) | |
refactor(permissions): split up Descriptor into Allow, Deny, and Query (#25508)
This makes the permission system more versatile.
Diffstat (limited to 'runtime/ops/process.rs')
| -rw-r--r-- | runtime/ops/process.rs | 69 |
1 files changed, 45 insertions, 24 deletions
diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs index b7242c07f..a39bb5f04 100644 --- a/runtime/ops/process.rs +++ b/runtime/ops/process.rs @@ -17,12 +17,13 @@ use deno_io::ChildStderrResource; use deno_io::ChildStdinResource; use deno_io::ChildStdoutResource; use deno_permissions::PermissionsContainer; -use deno_permissions::RunPathQuery; +use deno_permissions::RunQueryDescriptor; use serde::Deserialize; use serde::Serialize; use std::borrow::Cow; use std::cell::RefCell; use std::collections::HashMap; +use std::ffi::OsString; use std::path::Path; use std::path::PathBuf; use std::process::ExitStatus; @@ -536,9 +537,9 @@ fn compute_run_cmd_and_check_permissions( .with_context(|| format!("Failed to spawn '{}'", arg_cmd))?; check_run_permission( state, - RunPathQuery { - requested: arg_cmd, - resolved: &cmd, + &RunQueryDescriptor::Path { + requested: arg_cmd.to_string(), + resolved: cmd.clone(), }, &run_env, api_name, @@ -547,7 +548,7 @@ fn compute_run_cmd_and_check_permissions( } struct RunEnv { - envs: HashMap<String, String>, + envs: HashMap<OsString, OsString>, cwd: PathBuf, } @@ -567,11 +568,32 @@ fn compute_run_env( .map(|cwd_arg| resolve_path(cwd_arg, &cwd)) .unwrap_or(cwd); let envs = if arg_clear_env { - arg_envs.iter().cloned().collect() + arg_envs + .iter() + .map(|(k, v)| (OsString::from(k), OsString::from(v))) + .collect() } else { - let mut envs = std::env::vars().collect::<HashMap<_, _>>(); + let mut envs = std::env::vars_os() + .map(|(k, v)| { + ( + if cfg!(windows) { + k.to_ascii_uppercase() + } else { + k + }, + v, + ) + }) + .collect::<HashMap<_, _>>(); for (key, value) in arg_envs { - envs.insert(key.clone(), value.clone()); + envs.insert( + OsString::from(if cfg!(windows) { + key.to_ascii_uppercase() + } else { + key.clone() + }), + OsString::from(value.clone()), + ); } envs }; @@ -585,19 +607,7 @@ fn resolve_cmd(cmd: &str, env: &RunEnv) -> Result<PathBuf, AnyError> { if is_path { Ok(resolve_path(cmd, &env.cwd)) } else { - let path = env.envs.get("PATH").or_else(|| { - if cfg!(windows) { - env.envs.iter().find_map(|(k, v)| { - if k.to_uppercase() == "PATH" { - Some(v) - } else { - None - } - }) - } else { - None - } - }); + let path = env.envs.get(&OsString::from("PATH")); match which::which_in(cmd, path, &env.cwd) { Ok(cmd) => Ok(cmd), Err(which::Error::CannotFindBinaryPath) => { @@ -614,7 +624,7 @@ fn resolve_path(path: &str, cwd: &Path) -> PathBuf { fn check_run_permission( state: &mut OpState, - cmd: RunPathQuery, + cmd: &RunQueryDescriptor, run_env: &RunEnv, api_name: &str, ) -> Result<(), AnyError> { @@ -647,11 +657,22 @@ fn get_requires_allow_all_env_vars(env: &RunEnv) -> Vec<&str> { key.starts_with("LD_") || key.starts_with("DYLD_") } + fn is_empty(value: &OsString) -> bool { + value.is_empty() + || value.to_str().map(|v| v.trim().is_empty()).unwrap_or(false) + } + let mut found_envs = env .envs .iter() - .filter(|(k, v)| requires_allow_all(k) && !v.trim().is_empty()) - .map(|(k, _)| k.as_str()) + .filter_map(|(k, v)| { + let key = k.to_str()?; + if requires_allow_all(key) && !is_empty(v) { + Some(key) + } else { + None + } + }) .collect::<Vec<_>>(); found_envs.sort(); found_envs |