diff options
| -rw-r--r-- | fetch.go | 6 | ||||
| -rw-r--r-- | integration_test.go | 3 | ||||
| -rw-r--r-- | main.go | 24 | ||||
| -rw-r--r-- | os.go | 9 |
4 files changed, 40 insertions, 2 deletions
@@ -31,6 +31,12 @@ func Fetch(id int32, targetUrl string) []byte { FetchResId: id, } + if !Perms.Connect { + resMsg.Error = "Permission to connect denied." + PubMsg("fetch", resMsg) + return + } + resp, err := http.Get(targetUrl) if err != nil { resMsg.Error = err.Error() diff --git a/integration_test.go b/integration_test.go index 5b96c0abc..d98856f37 100644 --- a/integration_test.go +++ b/integration_test.go @@ -149,7 +149,8 @@ func TestErrors(t *testing.T) { func TestTestsTs(t *testing.T) { integrationTestSetup() - cmd := exec.Command(denoFn, "tests.ts") + // TODO Need unit test for each of the permissions. + cmd := exec.Command(denoFn, "--allow-connect", "--allow-write", "tests.ts") cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err := cmd.Run() @@ -14,6 +14,29 @@ var flagV8Options = flag.Bool("v8-options", false, "Print V8 command line option var flagDebug = flag.Bool("debug", false, "Enable debug output.") var flagGoProf = flag.String("goprof", "", "Write golang cpu profile to file.") +var flagAllowWrite = flag.Bool("allow-write", false, + "Allow program to write to the fs.") +var flagAllowConnect = flag.Bool("allow-connect", false, + "Allow program to connect to other network addresses.") +var flagAllowAccept = flag.Bool("allow-accept", false, + "Allow program to accept connections.") +var flagAllowRead = flag.Bool("allow-read", true, + "Allow program to read file system.") + +var Perms struct { + FsRead bool + FsWrite bool + Connect bool + Accept bool +} + +func setPerms() { + Perms.FsRead = *flagAllowRead + Perms.FsWrite = *flagAllowWrite + Perms.Connect = *flagAllowConnect + Perms.Accept = *flagAllowAccept +} + func stringAsset(path string) string { data, err := Asset("dist/" + path) check(err) @@ -23,6 +46,7 @@ func stringAsset(path string) string { func FlagsParse() []string { flag.Parse() args := flag.Args() + setPerms() if *flagV8Options { args = append(args, "--help") } @@ -17,7 +17,14 @@ const assetPrefix string = "/$asset$/" var fs afero.Fs func InitOS() { - fs = afero.NewOsFs() + if Perms.FsWrite { + assert(Perms.FsRead, "Write access requires read access.") + fs = afero.NewOsFs() + } else if Perms.FsRead { + fs = afero.NewReadOnlyFs(afero.NewOsFs()) + } else { + panic("Not implemented.") + } Sub("os", func(buf []byte) []byte { msg := &Msg{} |