diff options
| author | David Sherret <dsherret@users.noreply.github.com> | 2024-09-04 14:51:24 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-04 14:51:24 +0200 |
| commit | 74fc66da110ec20d12751e7a0922cea300314399 (patch) | |
| tree | b0b057b7539b506b8db39287cd799e7c9cbd526f /tests/testdata | |
| parent | 334c842392e2587b8ca1d7cc7cc7d9231fc15286 (diff) | |
fix: lock down allow-run permissions more (#25370)
`--allow-run` even with an allow list has essentially been
`--allow-all`... this locks it down more.
1. Resolves allow list for `--allow-run=` on startup to an absolute
path, then uses these paths when evaluating if a command can execute.
Also, adds these paths to `--deny-write`
1. Resolves the environment (cwd and env vars) before evaluating
permissions and before executing a command. Then uses this environment
to evaluate the permissions and then evaluate the command.
Diffstat (limited to 'tests/testdata')
| -rw-r--r-- | tests/testdata/allow_run_allowlist_resolution.ts | 66 | ||||
| -rw-r--r-- | tests/testdata/allow_run_allowlist_resolution.ts.out | 15 | ||||
| -rw-r--r-- | tests/testdata/run/089_run_allow_list.ts.out | 2 |
3 files changed, 1 insertions, 82 deletions
diff --git a/tests/testdata/allow_run_allowlist_resolution.ts b/tests/testdata/allow_run_allowlist_resolution.ts deleted file mode 100644 index c7369d928..000000000 --- a/tests/testdata/allow_run_allowlist_resolution.ts +++ /dev/null @@ -1,66 +0,0 @@ -// Testing the following (but with `deno` instead of `echo`): -// | `deno run --allow-run=echo` | `which path == "/usr/bin/echo"` at startup | `which path != "/usr/bin/echo"` at startup | -// |-------------------------------------|--------------------------------------------|--------------------------------------------| -// | **`Deno.Command("echo")`** | ✅ | ✅ | -// | **`Deno.Command("/usr/bin/echo")`** | ✅ | ❌ | - -// | `deno run --allow-run=/usr/bin/echo | `which path == "/usr/bin/echo"` at runtime | `which path != "/usr/bin/echo"` at runtime | -// |-------------------------------------|--------------------------------------------|--------------------------------------------| -// | **`Deno.Command("echo")`** | ✅ | ❌ | -// | **`Deno.Command("/usr/bin/echo")`** | ✅ | ✅ | - -const execPath = Deno.execPath(); -const execPathParent = execPath.replace(/[/\\][^/\\]+$/, ""); - -const testUrl = `data:application/typescript;base64,${ - btoa(` - console.log(await Deno.permissions.query({ name: "run", command: "deno" })); - console.log(await Deno.permissions.query({ name: "run", command: "${ - execPath.replaceAll("\\", "\\\\") - }" })); - Deno.env.set("PATH", ""); - console.log(await Deno.permissions.query({ name: "run", command: "deno" })); - console.log(await Deno.permissions.query({ name: "run", command: "${ - execPath.replaceAll("\\", "\\\\") - }" })); -`) -}`; - -const process1 = await new Deno.Command(Deno.execPath(), { - args: [ - "run", - "--quiet", - "--allow-env", - "--allow-run=deno", - testUrl, - ], - stderr: "null", - env: { "PATH": execPathParent }, -}).output(); -console.log(new TextDecoder().decode(process1.stdout)); - -const process2 = await new Deno.Command(Deno.execPath(), { - args: [ - "run", - "--quiet", - "--allow-env", - "--allow-run=deno", - testUrl, - ], - stderr: "null", - env: { "PATH": "" }, -}).output(); -console.log(new TextDecoder().decode(process2.stdout)); - -const process3 = await new Deno.Command(Deno.execPath(), { - args: [ - "run", - "--quiet", - "--allow-env", - `--allow-run=${execPath}`, - testUrl, - ], - stderr: "null", - env: { "PATH": execPathParent }, -}).output(); -console.log(new TextDecoder().decode(process3.stdout)); diff --git a/tests/testdata/allow_run_allowlist_resolution.ts.out b/tests/testdata/allow_run_allowlist_resolution.ts.out deleted file mode 100644 index 16ba6754a..000000000 --- a/tests/testdata/allow_run_allowlist_resolution.ts.out +++ /dev/null @@ -1,15 +0,0 @@ -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "granted", onchange: null } - -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "prompt", onchange: null } -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "prompt", onchange: null } - -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "granted", onchange: null } -PermissionStatus { state: "prompt", onchange: null } -PermissionStatus { state: "granted", onchange: null } - diff --git a/tests/testdata/run/089_run_allow_list.ts.out b/tests/testdata/run/089_run_allow_list.ts.out index 68a4a2ac5..0fc1c80c2 100644 --- a/tests/testdata/run/089_run_allow_list.ts.out +++ b/tests/testdata/run/089_run_allow_list.ts.out @@ -1,3 +1,3 @@ -[WILDCARD]PermissionDenied: Requires run access to "ls", run again with the --allow-run flag +[WILDCARD]PermissionDenied: Requires run access to "[WILDLINE]ls[WILDLINE]", run again with the --allow-run flag [WILDCARD] true |