diff options
| author | andy finch <andyfinch7@gmail.com> | 2019-03-03 16:52:41 -0500 |
|---|---|---|
| committer | Ryan Dahl <ry@tinyclouds.org> | 2019-03-03 16:52:41 -0500 |
| commit | 2af04e674d69863a318b311090a89aaae0108fdd (patch) | |
| tree | a8feb99b5330e935eb74eefc35c6d93c00c10389 /src | |
| parent | 1a695dd58b9069d41aa07c4a6c26e4057132ae92 (diff) | |
Add write permissions requirement to `op_fetch_module_meta_data`. (#1874)
Diffstat (limited to 'src')
| -rw-r--r-- | src/compiler.rs | 2 | ||||
| -rw-r--r-- | src/ops.rs | 48 |
2 files changed, 48 insertions, 2 deletions
diff --git a/src/compiler.rs b/src/compiler.rs index fa86617ce..716a9bbea 100644 --- a/src/compiler.rs +++ b/src/compiler.rs @@ -52,7 +52,7 @@ fn lazy_start(parent_state: &Arc<IsolateState>) -> Resource { let mut cell = C_RID.lock().unwrap(); let permissions = DenoPermissions { allow_read: AtomicBool::new(true), - allow_write: AtomicBool::new(false), + allow_write: AtomicBool::new(true), allow_env: AtomicBool::new(false), allow_net: AtomicBool::new(true), allow_run: AtomicBool::new(false), diff --git a/src/ops.rs b/src/ops.rs index 92a71e7e2..5535ca1b9 100644 --- a/src/ops.rs +++ b/src/ops.rs @@ -374,11 +374,19 @@ fn op_fetch_module_meta_data( let specifier = inner.specifier().unwrap(); let referrer = inner.referrer().unwrap(); + // Check for allow read since this operation could be used to read from the file system. if !isolate.permissions.allow_read.load(Ordering::SeqCst) { debug!("No read permission for fetch_module_meta_data"); return odd_future(permission_denied()); } + // Check for allow write since this operation could be used to write to the file system. + if !isolate.permissions.allow_write.load(Ordering::SeqCst) { + debug!("No network permission for fetch_module_meta_data"); + return odd_future(permission_denied()); + } + + // Check for allow net since this operation could be used to make https/http requests. if !isolate.permissions.allow_net.load(Ordering::SeqCst) { debug!("No network permission for fetch_module_meta_data"); return odd_future(permission_denied()); @@ -1844,6 +1852,44 @@ mod tests { } #[test] + fn fetch_module_meta_fails_without_write() { + let state = IsolateState::mock(); + let snapshot = libdeno::deno_buf::empty(); + let permissions = DenoPermissions { + allow_read: AtomicBool::new(true), + allow_write: AtomicBool::new(false), + allow_env: AtomicBool::new(true), + allow_net: AtomicBool::new(true), + allow_run: AtomicBool::new(true), + }; + let isolate = Isolate::new(snapshot, state, dispatch, permissions); + let builder = &mut FlatBufferBuilder::new(); + let fetch_msg_args = msg::FetchModuleMetaDataArgs { + specifier: Some(builder.create_string("./somefile")), + referrer: Some(builder.create_string(".")), + }; + let inner = msg::FetchModuleMetaData::create(builder, &fetch_msg_args); + let base_args = msg::BaseArgs { + inner: Some(inner.as_union_value()), + inner_type: msg::Any::FetchModuleMetaData, + ..Default::default() + }; + let base = msg::Base::create(builder, &base_args); + msg::finish_base_buffer(builder, base); + let data = builder.finished_data(); + let final_msg = msg::get_root_as_base(&data); + let fetch_result = op_fetch_module_meta_data( + &isolate, + &final_msg, + libdeno::deno_buf::empty(), + ).wait(); + match fetch_result { + Ok(_) => assert!(true), + Err(e) => assert_eq!(e.to_string(), permission_denied().to_string()), + } + } + + #[test] fn fetch_module_meta_fails_without_net() { let state = IsolateState::mock(); let snapshot = libdeno::deno_buf::empty(); @@ -1887,7 +1933,7 @@ mod tests { let snapshot = libdeno::deno_buf::empty(); let permissions = DenoPermissions { allow_read: AtomicBool::new(true), - allow_write: AtomicBool::new(false), + allow_write: AtomicBool::new(true), allow_env: AtomicBool::new(false), allow_net: AtomicBool::new(true), allow_run: AtomicBool::new(false), |