diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-09-04 14:51:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-04 14:51:24 +0200 |
| commit | 74fc66da110ec20d12751e7a0922cea300314399 (patch) | |
| tree | b0b057b7539b506b8db39287cd799e7c9cbd526f /tests/integration/run_tests.rs | |
| parent | 334c842392e2587b8ca1d7cc7cc7d9231fc15286 (diff) | |
fix: lock down allow-run permissions more (#25370)
`--allow-run` even with an allow list has essentially been
`--allow-all`... this locks it down more.
1. Resolves allow list for `--allow-run=` on startup to an absolute
path, then uses these paths when evaluating if a command can execute.
Also, adds these paths to `--deny-write`
1. Resolves the environment (cwd and env vars) before evaluating
permissions and before executing a command. Then uses this environment
to evaluate the permissions and then evaluate the command.
Diffstat (limited to 'tests/integration/run_tests.rs')
| -rw-r--r-- | tests/integration/run_tests.rs | 41 |
1 files changed, 26 insertions, 15 deletions
diff --git a/tests/integration/run_tests.rs b/tests/integration/run_tests.rs index 841ef2d18..47fcdb657 100644 --- a/tests/integration/run_tests.rs +++ b/tests/integration/run_tests.rs @@ -3683,11 +3683,6 @@ itest!(followup_dyn_import_resolved { output: "run/followup_dyn_import_resolves/main.ts.out", }); -itest!(allow_run_allowlist_resolution { - args: "run --quiet -A allow_run_allowlist_resolution.ts", - output: "allow_run_allowlist_resolution.ts.out", -}); - itest!(unhandled_rejection { args: "run --check run/unhandled_rejection.ts", output: "run/unhandled_rejection.ts.out", @@ -4592,16 +4587,32 @@ fn permission_prompt_escapes_ansi_codes_and_control_chars() { )) }); - util::with_pty(&["repl"], |mut console| { - console.write_line_raw(r#"const boldANSI = "\u001b[1m";"#); - console.expect("undefined"); - console.write_line_raw(r#"const unboldANSI = "\u001b[22m";"#); - console.expect("undefined"); - console.write_line_raw( - r#"new Deno.Command(`${boldANSI}cat${unboldANSI}`).spawn();"#, - ); - console.expect("\u{250f} \u{26a0}\u{fe0f} Deno requests run access to \"\\u{1b}[1mcat\\u{1b}[22m\"."); - }); + // windows doesn't support backslashes in paths, so just try this on unix + if cfg!(unix) { + let context = TestContextBuilder::default().use_temp_cwd().build(); + context + .new_command() + .env("PATH", context.temp_dir().path()) + .env("DYLD_FALLBACK_LIBRARY_PATH", "") + .env("LD_LIBRARY_PATH", "") + .args_vec(["repl", "--allow-write=."]) + .with_pty(|mut console| { + console.write_line_raw(r#"const boldANSI = "\u001b[1m";"#); + console.expect("undefined"); + console.write_line_raw(r#"const unboldANSI = "\u001b[22m";"#); + console.expect("undefined"); + console.write_line_raw( + r#"Deno.writeTextFileSync(`${boldANSI}cat${unboldANSI}`, "");"#, + ); + console.expect("undefined"); + console.write_line_raw( + r#"new Deno.Command(`./${boldANSI}cat${unboldANSI}`).spawn();"#, + ); + console + .expect("\u{250f} \u{26a0}\u{fe0f} Deno requests run access to \""); + console.expect("\\u{1b}[1mcat\\u{1b}[22m\"."); // ensure escaped + }); + } } itest!(node_builtin_modules_ts { |