feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

5 files changed, 49 insertions, 0 deletions

diff --git a/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc b/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc
new file mode 100644
index 000000000..0a9a9524b
--- /dev/null
+++ b/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc
@@ -0,0 +1,9 @@
+{
+  "args": "test -A --no-check test_no_sanitizers/test.js",
+  "output": "test_no_sanitizers/test.out",
+  "envs": {
+    "NO_COLOR": "1",
+    "NPM_CONFIG_REGISTRY": "http://localhost:4260/"
+  },
+  "exitCode": 0
+}
diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts
new file mode 100644
index 000000000..62c82ebca
--- /dev/null
+++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts
@@ -0,0 +1,4 @@
+const filename = Deno.args[0];
+using file = await Deno.open(filename);
+
+await file.readable.pipeTo(Deno.stdout.writable);
diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js
new file mode 100644
index 000000000..52d0f1325
--- /dev/null
+++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js
@@ -0,0 +1,28 @@
+import test from "node:test";
+test("should not complain about resource and op sanitizers", async (t) => {
+  // resource
+  const _file1 = Deno.open("test_no_sanitizers/welcome.ts");
+
+  await t.test("nested test", () => {
+    // resource
+    const _file2 = Deno.open("test_no_sanitizers/cat.ts");
+
+    // op
+    crypto.subtle.digest(
+      "SHA-256",
+      new TextEncoder().encode("a".repeat(1_000_000)),
+    );
+  });
+
+  // op
+  crypto.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode("a".repeat(1_000_000)),
+  );
+});
+
+// TODO(mmastrac): This works, but we don't reliably flush stdout/stderr here, making this test flake
+// test("should allow exit", () => {
+//   // no exit sanitizers
+//   Deno.exit(123);
+// });
diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out
new file mode 100644
index 000000000..dc5ab7cfd
--- /dev/null
+++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out
@@ -0,0 +1,7 @@
+running 1 test from ./test_no_sanitizers/test.js
+should not complain about resource and op sanitizers ...
+  nested test ... ok ([WILDCARD])
+should not complain about resource and op sanitizers ... ok ([WILDCARD])
+
+ok | 1 passed (1 step) | 0 failed ([WILDCARD])
+
diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts
new file mode 100644
index 000000000..f983ca89b
--- /dev/null
+++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts
@@ -0,0 +1 @@
+console.log("Welcome to Deno!");