diff options
39 files changed, 271 insertions, 65 deletions
diff --git a/cli/lsp/sources.rs b/cli/lsp/sources.rs index aa72ab904..5894e8d97 100644 --- a/cli/lsp/sources.rs +++ b/cli/lsp/sources.rs @@ -35,6 +35,7 @@ pub async fn cache( let handler = Arc::new(Mutex::new(FetchHandler::new( &program_state, Permissions::allow_all(), + Permissions::allow_all(), )?)); let mut builder = GraphBuilder::new(handler, maybe_import_map.clone(), None); builder.add(specifier, false).await diff --git a/cli/main.rs b/cli/main.rs index 604b786f9..5a5972e92 100644 --- a/cli/main.rs +++ b/cli/main.rs @@ -398,6 +398,7 @@ async fn info_command( // info accesses dynamically imported modules just for their information // so we allow access to all of them. Permissions::allow_all(), + Permissions::allow_all(), )?)); let mut builder = module_graph::GraphBuilder::new( handler, @@ -478,6 +479,7 @@ async fn cache_command( specifier, lib.clone(), Permissions::allow_all(), + Permissions::allow_all(), false, program_state.maybe_import_map.clone(), ) @@ -544,6 +546,7 @@ async fn create_module_graph_and_maybe_check( // when bundling, dynamic imports are only access for their type safety, // therefore we will allow the graph to access any module. Permissions::allow_all(), + Permissions::allow_all(), )?)); let mut builder = module_graph::GraphBuilder::new( handler, @@ -780,6 +783,7 @@ async fn run_with_watch(flags: Flags, script: String) -> Result<(), AnyError> { let handler = Arc::new(Mutex::new(FetchHandler::new( &program_state, Permissions::allow_all(), + Permissions::allow_all(), )?)); let mut builder = module_graph::GraphBuilder::new( handler, @@ -942,6 +946,7 @@ async fn test_command( let handler = Arc::new(Mutex::new(FetchHandler::new( &program_state, Permissions::allow_all(), + Permissions::allow_all(), )?)); let paths_to_watch: Vec<_> = include.iter().map(PathBuf::from).collect(); diff --git a/cli/module_graph.rs b/cli/module_graph.rs index a70a124a7..1ca738977 100644 --- a/cli/module_graph.rs +++ b/cli/module_graph.rs @@ -1775,7 +1775,7 @@ impl GraphBuilder { } Some(Ok(cached_module)) => { let is_root = &cached_module.specifier == specifier; - self.visit(cached_module, is_root)?; + self.visit(cached_module, is_root, is_dynamic)?; } _ => {} } @@ -1823,6 +1823,7 @@ impl GraphBuilder { &mut self, cached_module: CachedModule, is_root: bool, + is_root_dynamic: bool, ) -> Result<(), AnyError> { let specifier = cached_module.specifier.clone(); let requested_specifier = cached_module.requested_specifier.clone(); @@ -1859,14 +1860,22 @@ impl GraphBuilder { for (_, dep) in module.dependencies.iter() { let maybe_referrer = Some(dep.location.clone()); if let Some(specifier) = dep.maybe_code.as_ref() { - self.fetch(specifier, &maybe_referrer, dep.is_dynamic); + self.fetch( + specifier, + &maybe_referrer, + is_root_dynamic || dep.is_dynamic, + ); } if let Some(specifier) = dep.maybe_type.as_ref() { - self.fetch(specifier, &maybe_referrer, dep.is_dynamic); + self.fetch( + specifier, + &maybe_referrer, + is_root_dynamic || dep.is_dynamic, + ); } } if let Some((_, specifier)) = module.maybe_types.as_ref() { - self.fetch(specifier, &None, false); + self.fetch(specifier, &None, is_root_dynamic); } if specifier != requested_specifier { self diff --git a/cli/module_loader.rs b/cli/module_loader.rs index 26b9e28ff..acf762506 100644 --- a/cli/module_loader.rs +++ b/cli/module_loader.rs @@ -22,10 +22,10 @@ pub struct CliModuleLoader { /// import map file will be resolved and set. pub import_map: Option<ImportMap>, pub lib: TypeLib, - /// The initial set of permissions used to resolve the imports in the worker. - /// They are decoupled from the worker permissions since read access errors - /// must be raised based on the parent thread permissions - pub initial_permissions: Rc<RefCell<Option<Permissions>>>, + /// The initial set of permissions used to resolve the static imports in the + /// worker. They are decoupled from the worker (dynamic) permissions since + /// read access errors must be raised based on the parent thread permissions. + pub root_permissions: Permissions, pub program_state: Arc<ProgramState>, } @@ -42,7 +42,7 @@ impl CliModuleLoader { Rc::new(CliModuleLoader { import_map, lib, - initial_permissions: Rc::new(RefCell::new(None)), + root_permissions: Permissions::allow_all(), program_state, }) } @@ -60,7 +60,7 @@ impl CliModuleLoader { Rc::new(CliModuleLoader { import_map: None, lib, - initial_permissions: Rc::new(RefCell::new(Some(permissions))), + root_permissions: permissions, program_state, }) } @@ -125,16 +125,8 @@ impl ModuleLoader for CliModuleLoader { let maybe_import_map = self.import_map.clone(); let state = op_state.borrow(); - // The permissions that should be applied to any dynamically imported module - let dynamic_permissions = - // If there are initial permissions assigned to the loader take them - // and use only once for top level module load. - // Otherwise use permissions assigned to the current worker. - if let Some(permissions) = self.initial_permissions.borrow_mut().take() { - permissions - } else { - state.borrow::<Permissions>().clone() - }; + let root_permissions = self.root_permissions.clone(); + let dynamic_permissions = state.borrow::<Permissions>().clone(); let lib = self.lib.clone(); drop(state); @@ -145,6 +137,7 @@ impl ModuleLoader for CliModuleLoader { .prepare_module_load( specifier, lib, + root_permissions, dynamic_permissions, is_dynamic, maybe_import_map, diff --git a/cli/ops/runtime_compiler.rs b/cli/ops/runtime_compiler.rs index 2dfd995b5..c2d5582e7 100644 --- a/cli/ops/runtime_compiler.rs +++ b/cli/ops/runtime_compiler.rs @@ -66,15 +66,14 @@ async fn op_emit( // when we are actually resolving modules without provided sources, we should // treat the root module as a dynamic import so that runtime permissions are // applied. - let mut is_dynamic = false; let handler: Arc<Mutex<dyn SpecifierHandler>> = if let Some(sources) = args.sources { Arc::new(Mutex::new(MemoryHandler::new(sources))) } else { - is_dynamic = true; Arc::new(Mutex::new(FetchHandler::new( &program_state, runtime_permissions.clone(), + runtime_permissions.clone(), )?)) }; let maybe_import_map = if let Some(import_map_str) = args.import_map_path { @@ -103,15 +102,12 @@ async fn op_emit( }; let mut builder = GraphBuilder::new(handler, maybe_import_map, None); let root_specifier = resolve_url_or_path(&root_specifier)?; - builder - .add(&root_specifier, is_dynamic) - .await - .map_err(|_| { - type_error(format!( - "Unable to handle the given specifier: {}", - &root_specifier - )) - })?; + builder.add(&root_specifier, false).await.map_err(|_| { + type_error(format!( + "Unable to handle the given specifier: {}", + &root_specifier + )) + })?; let bundle_type = match args.bundle { Some(RuntimeBundleType::Module) => BundleType::Module, Some(RuntimeBundleType::Classic) => BundleType::Classic, diff --git a/cli/program_state.rs b/cli/program_state.rs index 0051e744b..50890b9e4 100644 --- a/cli/program_state.rs +++ b/cli/program_state.rs @@ -153,12 +153,14 @@ impl ProgramState { self: &Arc<Self>, specifiers: Vec<ModuleSpecifier>, lib: TypeLib, - runtime_permissions: Permissions, + root_permissions: Permissions, + dynamic_permissions: Permissions, maybe_import_map: Option<ImportMap>, ) -> Result<(), AnyError> { let handler = Arc::new(Mutex::new(FetchHandler::new( self, - runtime_permissions.clone(), + root_permissions, + dynamic_permissions, )?)); let mut builder = @@ -221,19 +223,17 @@ impl ProgramState { self: &Arc<Self>, specifier: ModuleSpecifier, lib: TypeLib, - mut runtime_permissions: Permissions, + root_permissions: Permissions, + dynamic_permissions: Permissions, is_dynamic: bool, maybe_import_map: Option<ImportMap>, ) -> Result<(), AnyError> { let specifier = specifier.clone(); - // Workers are subject to the current runtime permissions. We do the - // permission check here early to avoid "wasting" time building a module - // graph for a module that cannot be loaded. - if lib == TypeLib::DenoWorker || lib == TypeLib::UnstableDenoWorker { - runtime_permissions.check_specifier(&specifier)?; - } - let handler = - Arc::new(Mutex::new(FetchHandler::new(self, runtime_permissions)?)); + let handler = Arc::new(Mutex::new(FetchHandler::new( + self, + root_permissions, + dynamic_permissions, + )?)); let mut builder = GraphBuilder::new(handler, maybe_import_map, self.lockfile.clone()); builder.add(&specifier, is_dynamic).await?; diff --git a/cli/specifier_handler.rs b/cli/specifier_handler.rs index 066ed87f4..900b918ab 100644 --- a/cli/specifier_handler.rs +++ b/cli/specifier_handler.rs @@ -222,9 +222,10 @@ impl CompiledFileMetadata { pub struct FetchHandler { /// An instance of disk where generated (emitted) files are stored. disk_cache: DiskCache, - /// The set of current runtime permissions which need to be applied to - /// dynamic imports. - runtime_permissions: Permissions, + /// The set permissions which are used for root modules (static imports). + root_permissions: Permissions, + /// The set of permissions which are used for dynamic imports. + dynamic_permissions: Permissions, /// A clone of the `program_state` file fetcher. file_fetcher: FileFetcher, } @@ -232,7 +233,8 @@ pub struct FetchHandler { impl FetchHandler { pub fn new( program_state: &Arc<ProgramState>, - runtime_permissions: Permissions, + root_permissions: Permissions, + dynamic_permissions: Permissions, ) -> Result<Self, AnyError> { let custom_root = env::var("DENO_DIR").map(String::into).ok(); let deno_dir = DenoDir::new(custom_root)?; @@ -241,7 +243,8 @@ impl FetchHandler { Ok(FetchHandler { disk_cache, - runtime_permissions, + root_permissions, + dynamic_permissions, file_fetcher, }) } @@ -258,9 +261,9 @@ impl SpecifierHandler for FetchHandler { // permissions need to be applied. Other static imports have all // permissions. let mut permissions = if is_dynamic { - self.runtime_permissions.clone() + self.dynamic_permissions.clone() } else { - Permissions::allow_all() + self.root_permissions.clone() }; let file_fetcher = self.file_fetcher.clone(); let disk_cache = self.disk_cache.clone(); @@ -603,7 +606,8 @@ pub mod tests { let fetch_handler = FetchHandler { disk_cache, - runtime_permissions: Permissions::default(), + root_permissions: Permissions::allow_all(), + dynamic_permissions: Permissions::default(), file_fetcher, }; diff --git a/cli/tests/dynamic_import/permissions_blob_local.ts b/cli/tests/dynamic_import/permissions_blob_local.ts new file mode 100644 index 000000000..571c72ca3 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_blob_local.ts @@ -0,0 +1,4 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "file:///local_file.ts";`; +const blob = new Blob([code]); +await import(URL.createObjectURL(blob)); diff --git a/cli/tests/dynamic_import/permissions_blob_local.ts.out b/cli/tests/dynamic_import/permissions_blob_local.ts.out new file mode 100644 index 000000000..d533d4903 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_blob_local.ts.out @@ -0,0 +1,5 @@ +error: Uncaught (in promise) TypeError: Requires read access to "/local_file.ts", run again with the --allow-read flag + at blob:null/[WILDCARD]:1:0 +await import(URL.createObjectURL(blob)); +^ + at async file:///[WILDCARD]/cli/tests/dynamic_import/permissions_blob_local.ts:4:1 diff --git a/cli/tests/dynamic_import/permissions_blob_remote.ts b/cli/tests/dynamic_import/permissions_blob_remote.ts new file mode 100644 index 000000000..1e2c8c21a --- /dev/null +++ b/cli/tests/dynamic_import/permissions_blob_remote.ts @@ -0,0 +1,4 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "https://example.com/some/file.ts";`; +const blob = new Blob([code]); +await import(URL.createObjectURL(blob)); diff --git a/cli/tests/dynamic_import/permissions_blob_remote.ts.out b/cli/tests/dynamic_import/permissions_blob_remote.ts.out new file mode 100644 index 000000000..7992e0855 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_blob_remote.ts.out @@ -0,0 +1,5 @@ +error: Uncaught (in promise) TypeError: Requires net access to "example.com", run again with the --allow-net flag + at blob:null/[WILDCARD]:1:0 +await import(URL.createObjectURL(blob)); +^ + at async file:///[WILDCARD]/cli/tests/dynamic_import/permissions_blob_remote.ts:4:1 diff --git a/cli/tests/dynamic_import/permissions_data_local.ts b/cli/tests/dynamic_import/permissions_data_local.ts new file mode 100644 index 000000000..04b3432eb --- /dev/null +++ b/cli/tests/dynamic_import/permissions_data_local.ts @@ -0,0 +1,3 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "file:///local_file.ts";`; +await import(`data:application/javascript;base64,${btoa(code)}`); diff --git a/cli/tests/dynamic_import/permissions_data_local.ts.out b/cli/tests/dynamic_import/permissions_data_local.ts.out new file mode 100644 index 000000000..0b3ac7779 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_data_local.ts.out @@ -0,0 +1,5 @@ +error: Uncaught (in promise) TypeError: Requires read access to "/local_file.ts", run again with the --allow-read flag + at data:application/javascript;base64,aW1wb3J0ICJmaWxlOi8vL2xvY2FsX2ZpbGUudHMiOw==:1:0 +await import(`data:application/javascript;base64,${btoa(code)}`); +^ + at async file:///[WILDCARD]/cli/tests/dynamic_import/permissions_data_local.ts:3:1 diff --git a/cli/tests/dynamic_import/permissions_data_remote.ts b/cli/tests/dynamic_import/permissions_data_remote.ts new file mode 100644 index 000000000..b0a9540c3 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_data_remote.ts @@ -0,0 +1,3 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "https://example.com/some/file.ts";`; +await import(`data:application/javascript;base64,${btoa(code)}`); diff --git a/cli/tests/dynamic_import/permissions_data_remote.ts.out b/cli/tests/dynamic_import/permissions_data_remote.ts.out new file mode 100644 index 000000000..6bb137091 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_data_remote.ts.out @@ -0,0 +1,5 @@ +error: Uncaught (in promise) TypeError: Requires net access to "example.com", run again with the --allow-net flag + at data:application/javascript;base64,aW1wb3J0ICJodHRwczovL2V4YW1wbGUuY29tL3NvbWUvZmlsZS50cyI7:1:0 +await import(`data:application/javascript;base64,${btoa(code)}`); +^ + at async file:///[WILDCARD]/cli/tests/dynamic_import/permissions_data_remote.ts:3:1 diff --git a/cli/tests/dynamic_import/permissions_remote_remote.ts b/cli/tests/dynamic_import/permissions_remote_remote.ts new file mode 100644 index 000000000..99de3f46f --- /dev/null +++ b/cli/tests/dynamic_import/permissions_remote_remote.ts @@ -0,0 +1,3 @@ +await import( + "http://localhost:4545/cli/tests/dynamic_import/static_remote.ts" +); diff --git a/cli/tests/dynamic_import/permissions_remote_remote.ts.out b/cli/tests/dynamic_import/permissions_remote_remote.ts.out new file mode 100644 index 000000000..ae8113899 --- /dev/null +++ b/cli/tests/dynamic_import/permissions_remote_remote.ts.out @@ -0,0 +1,5 @@ +error: Uncaught (in promise) TypeError: Requires net access to "example.com", run again with the --allow-net flag + at http://localhost:4545/cli/tests/dynamic_import/static_remote.ts:2:0 +await import( +^ + at async file:///[WILDCARD]/cli/tests/dynamic_import/permissions_remote_remote.ts:1:1 diff --git a/cli/tests/dynamic_import/static_remote.ts b/cli/tests/dynamic_import/static_remote.ts new file mode 100644 index 000000000..2d6e820fd --- /dev/null +++ b/cli/tests/dynamic_import/static_remote.ts @@ -0,0 +1,2 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +import "https://example.com/some/file.ts"; diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs index fe40e243b..19a1a8952 100644 --- a/cli/tests/integration_tests.rs +++ b/cli/tests/integration_tests.rs @@ -3096,6 +3096,41 @@ console.log("finish"); exit_code: 1, }); + itest!(dynamic_import_permissions_remote_remote { + args: "run --quiet --reload --allow-net=localhost:4545 dynamic_import/permissions_remote_remote.ts", + output: "dynamic_import/permissions_remote_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(dynamic_import_permissions_data_remote { + args: "run --quiet --reload --allow-net=localhost:4545 dynamic_import/permissions_data_remote.ts", + output: "dynamic_import/permissions_data_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(dynamic_import_permissions_blob_remote { + args: "run --quiet --reload --allow-net=localhost:4545 dynamic_import/permissions_blob_remote.ts", + output: "dynamic_import/permissions_blob_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(dynamic_import_permissions_data_local { + args: "run --quiet --reload --allow-net=localhost:4545 dynamic_import/permissions_data_local.ts", + output: "dynamic_import/permissions_data_local.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(dynamic_import_permissions_blob_local { + args: "run --quiet --reload --allow-net=localhost:4545 dynamic_import/permissions_blob_local.ts", + output: "dynamic_import/permissions_blob_local.ts.out", + http_server: true, + exit_code: 1, + }); + itest!(js_import_detect { args: "run --quiet --reload js_import_detect.ts", output: "js_import_detect.ts.out", @@ -3466,6 +3501,48 @@ console.log("finish"); exit_code: 1, }); + itest!(worker_permissions_remote_remote { + args: "run --quiet --reload --allow-net=localhost:4545 workers/permissions_remote_remote.ts", + output: "workers/permissions_remote_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(worker_permissions_dynamic_remote { + args: "run --quiet --reload --allow-net --unstable workers/permissions_dynamic_remote.ts", + output: "workers/permissions_dynamic_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(worker_permissions_data_remote { + args: "run --quiet --reload --allow-net=localhost:4545 workers/permissions_data_remote.ts", + output: "workers/permissions_data_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(worker_permissions_blob_remote { + args: "run --quiet --reload --allow-net=localhost:4545 workers/permissions_blob_remote.ts", + output: "workers/permissions_blob_remote.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(worker_permissions_data_local { + args: "run --quiet --reload --allow-net=localhost:4545 workers/permissions_data_local.ts", + output: "workers/permissions_data_local.ts.out", + http_server: true, + exit_code: 1, + }); + + itest!(worker_permissions_blob_local { + args: "run --quiet --reload --allow-net=localhost:4545 workers/permissions_blob_local.ts", + output: "workers/permissions_blob_local.ts.out", + http_server: true, + exit_code: 1, + }); + itest!(exit_error42 { exit_code: 42, args: "run --quiet --reload exit_error42.ts", @@ -3946,7 +4023,7 @@ console.log("finish"); }); itest!(import_blob_url_imports { - args: "run --quiet --reload import_blob_url_imports.ts", + args: "run --quiet --reload --allow-net=localhost:4545 import_blob_url_imports.ts", output: "import_blob_url_imports.ts.out", http_server: true, }); diff --git a/cli/tests/workers/dynamic_remote.ts b/cli/tests/workers/dynamic_remote.ts new file mode 100644 index 000000000..381c7f374 --- /dev/null +++ b/cli/tests/workers/dynamic_remote.ts @@ -0,0 +1,2 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +await import("https://example.com/some/file.ts"); diff --git a/cli/tests/workers/parent_read_check_granular_worker.js b/cli/tests/workers/parent_read_check_granular_worker.js index 474b8a61b..1391190cd 100644 --- a/cli/tests/workers/parent_read_check_granular_worker.js +++ b/cli/tests/workers/parent_read_check_granular_worker.js @@ -1,5 +1,3 @@ -import { fromFileUrl } from "../../../test_util/std/path/mod.ts"; - const worker = new Worker( new URL("./read_check_granular_worker.js", import.meta.url).href, { @@ -31,7 +29,7 @@ worker.onmessage = ({ data: childResponse }) => { onmessage = async ({ data }) => { const { state } = await Deno.permissions.query({ name: "read", - path: fromFileUrl(new URL(data.route, import.meta.url)), + path: data.path, }); messages[data.index] = state === "granted"; diff --git a/cli/tests/workers/permissions_blob_local.ts b/cli/tests/workers/permissions_blob_local.ts new file mode 100644 index 000000000..e75557912 --- /dev/null +++ b/cli/tests/workers/permissions_blob_local.ts @@ -0,0 +1,4 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "file:///local_file.ts";`; +const blob = new Blob([code]); +new Worker(URL.createObjectURL(blob), { type: "module" }); diff --git a/cli/tests/workers/permissions_blob_local.ts.out b/cli/tests/workers/permissions_blob_local.ts.out new file mode 100644 index 000000000..7ccb56e1d --- /dev/null +++ b/cli/tests/workers/permissions_blob_local.ts.out @@ -0,0 +1,4 @@ +error: Uncaught (in worker "") Requires read access to "/local_file.ts", run again with the --allow-read flag + at blob:null/[WILDCARD]:1:0 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/permissions_blob_remote.ts b/cli/tests/workers/permissions_blob_remote.ts new file mode 100644 index 000000000..4808bc57b --- /dev/null +++ b/cli/tests/workers/permissions_blob_remote.ts @@ -0,0 +1,4 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "https://example.com/some/file.ts";`; +const blob = new Blob([code]); +new Worker(URL.createObjectURL(blob), { type: "module" }); diff --git a/cli/tests/workers/permissions_blob_remote.ts.out b/cli/tests/workers/permissions_blob_remote.ts.out new file mode 100644 index 000000000..c89f7b41c --- /dev/null +++ b/cli/tests/workers/permissions_blob_remote.ts.out @@ -0,0 +1,4 @@ +error: Uncaught (in worker "") Requires net access to "example.com", run again with the --allow-net flag + at blob:null/[WILDCARD]:1:0 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/permissions_data_local.ts b/cli/tests/workers/permissions_data_local.ts new file mode 100644 index 000000000..938a76add --- /dev/null +++ b/cli/tests/workers/permissions_data_local.ts @@ -0,0 +1,5 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "file:///local_file.ts";`; +new Worker(`data:application/javascript;base64,${btoa(code)}`, { + type: "module", +}); diff --git a/cli/tests/workers/permissions_data_local.ts.out b/cli/tests/workers/permissions_data_local.ts.out new file mode 100644 index 000000000..e282bb5aa --- /dev/null +++ b/cli/tests/workers/permissions_data_local.ts.out @@ -0,0 +1,4 @@ +error: Uncaught (in worker "") Requires read access to "/local_file.ts", run again with the --allow-read flag + at data:application/javascript;base64,aW1wb3J0ICJmaWxlOi8vL2xvY2FsX2ZpbGUudHMiOw==:1:0 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/permissions_data_remote.ts b/cli/tests/workers/permissions_data_remote.ts new file mode 100644 index 000000000..b37bd661d --- /dev/null +++ b/cli/tests/workers/permissions_data_remote.ts @@ -0,0 +1,5 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +const code = `import "https://example.com/some/file.ts";`; +new Worker(`data:application/javascript;base64,${btoa(code)}`, { + type: "module", +}); diff --git a/cli/tests/workers/permissions_data_remote.ts.out b/cli/tests/workers/permissions_data_remote.ts.out new file mode 100644 index 000000000..2c4080672 --- /dev/null +++ b/cli/tests/workers/permissions_data_remote.ts.out @@ -0,0 +1,4 @@ +error: Uncaught (in worker "") Requires net access to "example.com", run again with the --allow-net flag + at data:application/javascript;base64,aW1wb3J0ICJodHRwczovL2V4YW1wbGUuY29tL3NvbWUvZmlsZS50cyI7:1:0 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/permissions_dynamic_remote.ts b/cli/tests/workers/permissions_dynamic_remote.ts new file mode 100644 index 000000000..a5d293e16 --- /dev/null +++ b/cli/tests/workers/permissions_dynamic_remote.ts @@ -0,0 +1,11 @@ +new Worker( + "http://localhost:4545/cli/tests/workers/dynamic_remote.ts", + { + type: "module", + deno: { + permissions: { + net: false, + }, + }, + }, +); diff --git a/cli/tests/workers/permissions_dynamic_remote.ts.out b/cli/tests/workers/permissions_dynamic_remote.ts.out new file mode 100644 index 000000000..3bfb16205 --- /dev/null +++ b/cli/tests/workers/permissions_dynamic_remote.ts.out @@ -0,0 +1,10 @@ +error: Uncaught (in worker "") (in promise) TypeError: Requires net access to "example.com", run again with the --allow-net flag +await import("https://example.com/some/file.ts"); +^ + at async http://localhost:4545/cli/tests/workers/dynamic_remote.ts:2:1 +error: Uncaught (in worker "") TypeError: Requires net access to "example.com", run again with the --allow-net flag +await import("https://example.com/some/file.ts"); +^ + at async http://localhost:4545/cli/tests/workers/dynamic_remote.ts:2:1 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/permissions_remote_remote.ts b/cli/tests/workers/permissions_remote_remote.ts new file mode 100644 index 000000000..b1f954a31 --- /dev/null +++ b/cli/tests/workers/permissions_remote_remote.ts @@ -0,0 +1,3 @@ +new Worker("http://localhost:4545/cli/tests/workers/static_remote.ts", { + type: "module", +}); diff --git a/cli/tests/workers/permissions_remote_remote.ts.out b/cli/tests/workers/permissions_remote_remote.ts.out new file mode 100644 index 000000000..714150a3a --- /dev/null +++ b/cli/tests/workers/permissions_remote_remote.ts.out @@ -0,0 +1,4 @@ +error: Uncaught (in worker "") Requires net access to "example.com", run again with the --allow-net flag + at http://localhost:4545/cli/tests/workers/static_remote.ts:2:0 +error: Uncaught (in promise) Error: Unhandled error event reached main worker. + at Worker.#poll (deno:runtime/js/11_workers.js:246:23) diff --git a/cli/tests/workers/read_check_granular_worker.js b/cli/tests/workers/read_check_granular_worker.js index d1a205391..25f2058b3 100644 --- a/cli/tests/workers/read_check_granular_worker.js +++ b/cli/tests/workers/read_check_granular_worker.js @@ -1,9 +1,7 @@ -import { fromFileUrl } from "../../../test_util/std/path/mod.ts"; - onmessage = async ({ data }) => { const { state } = await Deno.permissions.query({ name: "read", - path: fromFileUrl(new URL(data.route, import.meta.url)), + path: data.path, }); postMessage({ diff --git a/cli/tests/workers/static_remote.ts b/cli/tests/workers/static_remote.ts new file mode 100644 index 000000000..2d6e820fd --- /dev/null +++ b/cli/tests/workers/static_remote.ts @@ -0,0 +1,2 @@ +// This file doesn't really exist, but it doesn't matter, a "PermissionsDenied" error should be thrown. +import "https://example.com/some/file.ts"; diff --git a/cli/tests/workers/test.ts b/cli/tests/workers/test.ts index 41988d204..954737b3a 100644 --- a/cli/tests/workers/test.ts +++ b/cli/tests/workers/test.ts @@ -8,6 +8,7 @@ import { assertThrows, } from "../../../test_util/std/testing/asserts.ts"; import { deferred } from "../../../test_util/std/async/deferred.ts"; +import { fromFileUrl } from "../../../test_util/std/path/mod.ts"; Deno.test({ name: "worker terminate", @@ -476,8 +477,16 @@ Deno.test("Worker limit children permissions granularly", async function () { //Routes are relative to the spawned worker location const routes = [ - { permission: false, route: "read_check_granular_worker.js" }, - { permission: true, route: "read_check_worker.js" }, + { + permission: false, + path: fromFileUrl( + new URL("read_check_granular_worker.js", import.meta.url), + ), + }, + { + permission: true, + path: fromFileUrl(new URL("read_check_worker.js", import.meta.url)), + }, ]; let checked = 0; @@ -490,10 +499,10 @@ Deno.test("Worker limit children permissions granularly", async function () { } }; - routes.forEach(({ route }, index) => + routes.forEach(({ path }, index) => worker.postMessage({ index, - route, + path, }) ); @@ -553,12 +562,14 @@ Deno.test("Nested worker limit children permissions granularly", async function { childHasPermission: false, parentHasPermission: true, - route: "read_check_granular_worker.js", + path: fromFileUrl( + new URL("read_check_granular_worker.js", import.meta.url), + ), }, { childHasPermission: false, parentHasPermission: false, - route: "read_check_worker.js", + path: fromFileUrl(new URL("read_check_worker.js", import.meta.url)), }, ]; @@ -579,10 +590,10 @@ Deno.test("Nested worker limit children permissions granularly", async function }; // Index needed cause requests will be handled asynchronously - routes.forEach(({ route }, index) => + routes.forEach(({ path }, index) => worker.postMessage({ index, - route, + path, }) ); diff --git a/cli/tools/coverage.rs b/cli/tools/coverage.rs index 9a197eabd..23b4a4fb6 100644 --- a/cli/tools/coverage.rs +++ b/cli/tools/coverage.rs @@ -635,6 +635,7 @@ pub async fn cover_files( module_specifier.clone(), TypeLib::UnstableDenoWindow, Permissions::allow_all(), + Permissions::allow_all(), false, program_state.maybe_import_map.clone(), ) diff --git a/cli/tools/doc.rs b/cli/tools/doc.rs index 938944f2a..5794b494f 100644 --- a/cli/tools/doc.rs +++ b/cli/tools/doc.rs @@ -117,6 +117,7 @@ pub async fn print_docs( let handler = Arc::new(Mutex::new(FetchHandler::new( &program_state, Permissions::allow_all(), + Permissions::allow_all(), )?)); let mut builder = module_graph::GraphBuilder::new( handler, diff --git a/cli/tools/test_runner.rs b/cli/tools/test_runner.rs index fdb4be664..6b2eab36b 100644 --- a/cli/tools/test_runner.rs +++ b/cli/tools/test_runner.rs @@ -403,6 +403,7 @@ pub async fn run_tests( .prepare_module_graph( test_programs.clone(), lib.clone(), + Permissions::allow_all(), permissions.clone(), program_state.maybe_import_map.clone(), ) @@ -413,6 +414,7 @@ pub async fn run_tests( .prepare_module_graph( test_modules.clone(), lib.clone(), + Permissions::allow_all(), permissions.clone(), program_state.maybe_import_map.clone(), ) |