fix(permissions): disallow launching subprocess with LD_PRELOAD env var without full run permissions (#25221)

Ref https://github.com/denoland/deno/pull/25215 Closes https://github.com/denoland/deno/issues/11964
author: David Sherret <dsherret@users.noreply.github.com> 2024-08-27 22:03:09 -0400
committer: GitHub <noreply@github.com> 2024-08-27 22:03:09 -0400
commit: 1a6fd38f2f7b016714ec313ce234fd5356aa956a (patch)
tree: f6452c1f7f5939ff12dc4a8b99890507a4079a63 /tests/specs
parent: b1b72a8a4943f9c40e253f243f9b77abf67b3faf (diff)
5 files changed, 30 insertions, 0 deletions
diff --git a/tests/specs/run/ld_preload/__test__.jsonc b/tests/specs/run/ld_preload/__test__.jsonc
new file mode 100644
index 000000000..f3a9b26bc
--- /dev/null
+++ b/tests/specs/run/ld_preload/__test__.jsonc
@@ -0,0 +1,14 @@
+{
+  "tests": {
+    "env_arg": {
+      "args": "run --allow-run=echo env_arg.ts",
+      "output": "env_arg.out",
+      "exitCode": 1
+    },
+    "set_with_allow_env": {
+      "args": "run --allow-run=echo --allow-env set_with_allow_env.ts",
+      "output": "set_with_allow_env.out",
+      "exitCode": 1
+    }
+  }
+}
diff --git a/tests/specs/run/ld_preload/env_arg.out b/tests/specs/run/ld_preload/env_arg.out
new file mode 100644
index 000000000..fbf37014a
--- /dev/null
+++ b/tests/specs/run/ld_preload/env_arg.out
@@ -0,0 +1,4 @@
+error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
+}).spawn();
+   ^
+    at [WILDCARD]
diff --git a/tests/specs/run/ld_preload/env_arg.ts b/tests/specs/run/ld_preload/env_arg.ts
new file mode 100644
index 000000000..0b236619e
--- /dev/null
+++ b/tests/specs/run/ld_preload/env_arg.ts
@@ -0,0 +1,5 @@
+const output = new Deno.Command("echo", {
+  env: {
+    "LD_PRELOAD": "./libpreload.so",
+  },
+}).spawn();
diff --git a/tests/specs/run/ld_preload/set_with_allow_env.out b/tests/specs/run/ld_preload/set_with_allow_env.out
new file mode 100644
index 000000000..2e92763dd
--- /dev/null
+++ b/tests/specs/run/ld_preload/set_with_allow_env.out
@@ -0,0 +1,4 @@
+error: Uncaught (in promise) PermissionDenied: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
+const output = new Deno.Command("echo").spawn();
+                                        ^
+    at [WILDCARD]
diff --git a/tests/specs/run/ld_preload/set_with_allow_env.ts b/tests/specs/run/ld_preload/set_with_allow_env.ts
new file mode 100644
index 000000000..9530f4478
--- /dev/null
+++ b/tests/specs/run/ld_preload/set_with_allow_env.ts
@@ -0,0 +1,3 @@
+Deno.env.set("LD_PRELOAD", "./libpreload.so");
+
+const output = new Deno.Command("echo").spawn();
author	David Sherret <dsherret@users.noreply.github.com>	2024-08-27 22:03:09 -0400
committer	GitHub <noreply@github.com>	2024-08-27 22:03:09 -0400
commit	1a6fd38f2f7b016714ec313ce234fd5356aa956a (patch)
tree	f6452c1f7f5939ff12dc4a8b99890507a4079a63 /tests/specs
parent	b1b72a8a4943f9c40e253f243f9b77abf67b3faf (diff)