diff options
| -rw-r--r-- | cli/dts/lib.deno.ns.d.ts | 5 | ||||
| -rw-r--r-- | cli/flags.rs | 48 | ||||
| -rw-r--r-- | cli/tests/089_run_allow_list.ts | 13 | ||||
| -rw-r--r-- | cli/tests/089_run_allow_list.ts.out | 3 | ||||
| -rw-r--r-- | cli/tests/090_run_permissions_request.ts | 9 | ||||
| -rw-r--r-- | cli/tests/090_run_permissions_request.ts.out | 3 | ||||
| -rw-r--r-- | cli/tests/integration_tests.rs | 15 | ||||
| -rw-r--r-- | runtime/ops/permissions.rs | 7 | ||||
| -rw-r--r-- | runtime/ops/process.rs | 10 | ||||
| -rw-r--r-- | runtime/ops/worker_host.rs | 43 | ||||
| -rw-r--r-- | runtime/permissions.rs | 166 |
11 files changed, 271 insertions, 51 deletions
diff --git a/cli/dts/lib.deno.ns.d.ts b/cli/dts/lib.deno.ns.d.ts index 4934c642d..09f39d6b8 100644 --- a/cli/dts/lib.deno.ns.d.ts +++ b/cli/dts/lib.deno.ns.d.ts @@ -1967,10 +1967,10 @@ declare namespace Deno { * * If `stdout` and/or `stderr` were set to `"piped"`, they must be closed * manually before the process can exit. - * + * * To run process to completion and collect output from both `stdout` and * `stderr` use: - * + * * ```ts * const p = Deno.run({ cmd, stderr: 'piped', stdout: 'piped' }); * const [status, stdout, stderr] = await Promise.all([ @@ -2135,6 +2135,7 @@ declare namespace Deno { export interface RunPermissionDescriptor { name: "run"; + command?: string; } export interface ReadPermissionDescriptor { diff --git a/cli/flags.rs b/cli/flags.rs index 6edce35de..eb4bc8641 100644 --- a/cli/flags.rs +++ b/cli/flags.rs @@ -133,7 +133,7 @@ pub struct Flags { pub allow_net: Option<Vec<String>>, pub allow_plugin: bool, pub allow_read: Option<Vec<PathBuf>>, - pub allow_run: bool, + pub allow_run: Option<Vec<String>>, pub allow_write: Option<Vec<PathBuf>>, pub location: Option<Url>, pub cache_blocklist: Vec<String>, @@ -211,8 +211,15 @@ impl Flags { args.push("--allow-env".to_string()); } - if self.allow_run { - args.push("--allow-run".to_string()); + match &self.allow_run { + Some(run_allowlist) if run_allowlist.is_empty() => { + args.push("--allow-run".to_string()); + } + Some(run_allowlist) => { + let s = format!("--allow-run={}", run_allowlist.join(",")); + args.push(s); + } + _ => {} } if self.allow_plugin { @@ -520,7 +527,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) { flags.subcommand = DenoSubcommand::Repl; flags.allow_net = Some(vec![]); flags.allow_env = true; - flags.allow_run = true; + flags.allow_run = Some(vec![]); flags.allow_read = Some(vec![]); flags.allow_write = Some(vec![]); flags.allow_plugin = true; @@ -531,7 +538,7 @@ fn eval_parse(flags: &mut Flags, matches: &clap::ArgMatches) { runtime_args_parse(flags, matches, false, true); flags.allow_net = Some(vec![]); flags.allow_env = true; - flags.allow_run = true; + flags.allow_run = Some(vec![]); flags.allow_read = Some(vec![]); flags.allow_write = Some(vec![]); flags.allow_plugin = true; @@ -1399,6 +1406,10 @@ fn permission_args<'a, 'b>(app: App<'a, 'b>) -> App<'a, 'b> { .arg( Arg::with_name("allow-run") .long("allow-run") + .min_values(0) + .takes_value(true) + .use_delimiter(true) + .require_equals(true) .help("Allow running subprocesses"), ) .arg( @@ -1809,12 +1820,15 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) { debug!("net allowlist: {:#?}", &flags.allow_net); } + if let Some(run_wl) = matches.values_of("allow-run") { + let run_allowlist: Vec<String> = run_wl.map(ToString::to_string).collect(); + flags.allow_run = Some(run_allowlist); + debug!("run allowlist: {:#?}", &flags.allow_run); + } + if matches.is_present("allow-env") { flags.allow_env = true; } - if matches.is_present("allow-run") { - flags.allow_run = true; - } if matches.is_present("allow-plugin") { flags.allow_plugin = true; } @@ -1825,7 +1839,7 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) { flags.allow_read = Some(vec![]); flags.allow_env = true; flags.allow_net = Some(vec![]); - flags.allow_run = true; + flags.allow_run = Some(vec![]); flags.allow_write = Some(vec![]); flags.allow_plugin = true; flags.allow_hrtime = true; @@ -2032,7 +2046,7 @@ mod tests { }, allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2404,7 +2418,7 @@ mod tests { }, allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2427,7 +2441,7 @@ mod tests { }, allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2451,7 +2465,7 @@ mod tests { }, allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2488,7 +2502,7 @@ mod tests { inspect: Some("127.0.0.1:9229".parse().unwrap()), allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2518,7 +2532,7 @@ mod tests { argv: svec!["arg1", "arg2"], allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2538,7 +2552,7 @@ mod tests { subcommand: DenoSubcommand::Repl, allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, @@ -2572,7 +2586,7 @@ mod tests { inspect: Some("127.0.0.1:9229".parse().unwrap()), allow_net: Some(vec![]), allow_env: true, - allow_run: true, + allow_run: Some(vec![]), allow_read: Some(vec![]), allow_write: Some(vec![]), allow_plugin: true, diff --git a/cli/tests/089_run_allow_list.ts b/cli/tests/089_run_allow_list.ts new file mode 100644 index 000000000..85c1730a1 --- /dev/null +++ b/cli/tests/089_run_allow_list.ts @@ -0,0 +1,13 @@ +try { + Deno.run({ + cmd: ["ls"], + }); +} catch (e) { + console.log(e); +} + +const proc = Deno.run({ + cmd: ["cat", "089_run_allow_list.ts"], + stdout: "null", +}); +console.log((await proc.status()).success); diff --git a/cli/tests/089_run_allow_list.ts.out b/cli/tests/089_run_allow_list.ts.out new file mode 100644 index 000000000..68a4a2ac5 --- /dev/null +++ b/cli/tests/089_run_allow_list.ts.out @@ -0,0 +1,3 @@ +[WILDCARD]PermissionDenied: Requires run access to "ls", run again with the --allow-run flag +[WILDCARD] +true diff --git a/cli/tests/090_run_permissions_request.ts b/cli/tests/090_run_permissions_request.ts new file mode 100644 index 000000000..044bc6e8e --- /dev/null +++ b/cli/tests/090_run_permissions_request.ts @@ -0,0 +1,9 @@ +const status1 = + (await Deno.permissions.request({ name: "run", command: "ls" })).state; +const status2 = + (await Deno.permissions.query({ name: "run", command: "cat" })).state; +const status3 = + (await Deno.permissions.request({ name: "run", command: "cat" })).state; +console.log(status1); +console.log(status2); +console.log(status3); diff --git a/cli/tests/090_run_permissions_request.ts.out b/cli/tests/090_run_permissions_request.ts.out new file mode 100644 index 000000000..362425876 --- /dev/null +++ b/cli/tests/090_run_permissions_request.ts.out @@ -0,0 +1,3 @@ +[WILDCARD]granted +prompt +denied diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs index 310cb3289..2d4d8995e 100644 --- a/cli/tests/integration_tests.rs +++ b/cli/tests/integration_tests.rs @@ -2846,6 +2846,21 @@ console.log("finish"); output: "088_dynamic_import_already_evaluating.ts.out", }); + itest!(_089_run_allow_list { + args: "run --allow-run=cat 089_run_allow_list.ts", + output: "089_run_allow_list.ts.out", + }); + + #[cfg(unix)] + #[test] + fn _090_run_permissions_request() { + let args = "run 090_run_permissions_request.ts"; + let output = "090_run_permissions_request.ts.out"; + let input = b"g\nd\n"; + + util::test_pty(args, output, input); + } + itest!(js_import_detect { args: "run --quiet --reload js_import_detect.ts", output: "js_import_detect.ts.out", diff --git a/runtime/ops/permissions.rs b/runtime/ops/permissions.rs index be8c9974c..77d095d84 100644 --- a/runtime/ops/permissions.rs +++ b/runtime/ops/permissions.rs @@ -21,6 +21,7 @@ pub struct PermissionArgs { name: String, path: Option<String>, host: Option<String>, + command: Option<String>, } pub fn op_query_permission( @@ -41,7 +42,7 @@ pub fn op_query_permission( .as_ref(), ), "env" => permissions.env.query(), - "run" => permissions.run.query(), + "run" => permissions.run.query(args.command.as_deref()), "plugin" => permissions.plugin.query(), "hrtime" => permissions.hrtime.query(), n => { @@ -72,7 +73,7 @@ pub fn op_revoke_permission( .as_ref(), ), "env" => permissions.env.revoke(), - "run" => permissions.run.revoke(), + "run" => permissions.run.revoke(args.command.as_deref()), "plugin" => permissions.plugin.revoke(), "hrtime" => permissions.hrtime.revoke(), n => { @@ -103,7 +104,7 @@ pub fn op_request_permission( .as_ref(), ), "env" => permissions.env.request(), - "run" => permissions.run.request(), + "run" => permissions.run.request(args.command.as_deref()), "plugin" => permissions.plugin.request(), "hrtime" => permissions.hrtime.request(), n => { diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs index c2ca2c687..625bc204c 100644 --- a/runtime/ops/process.rs +++ b/runtime/ops/process.rs @@ -96,9 +96,8 @@ fn op_run( run_args: RunArgs, _zero_copy: Option<ZeroCopyBuf>, ) -> Result<RunInfo, AnyError> { - state.borrow::<Permissions>().run.check()?; - let args = run_args.cmd; + state.borrow::<Permissions>().run.check(&args[0])?; let env = run_args.env; let cwd = run_args.cwd; @@ -198,11 +197,6 @@ async fn op_run_status( rid: ResourceId, _zero_copy: Option<ZeroCopyBuf>, ) -> Result<RunStatus, AnyError> { - { - let s = state.borrow(); - s.borrow::<Permissions>().run.check()?; - } - let resource = state .borrow_mut() .resource_table @@ -292,7 +286,7 @@ fn op_kill( _zero_copy: Option<ZeroCopyBuf>, ) -> Result<(), AnyError> { super::check_unstable(state, "Deno.kill"); - state.borrow::<Permissions>().run.check()?; + state.borrow::<Permissions>().run.check_all()?; kill(args.pid, args.signo)?; Ok(()) diff --git a/runtime/ops/worker_host.rs b/runtime/ops/worker_host.rs index d8e60171e..2f297fb08 100644 --- a/runtime/ops/worker_host.rs +++ b/runtime/ops/worker_host.rs @@ -5,6 +5,7 @@ use crate::permissions::NetDescriptor; use crate::permissions::PermissionState; use crate::permissions::Permissions; use crate::permissions::ReadDescriptor; +use crate::permissions::RunDescriptor; use crate::permissions::UnaryPermission; use crate::permissions::UnitPermission; use crate::permissions::WriteDescriptor; @@ -189,6 +190,26 @@ fn merge_write_permission( Ok(main) } +fn merge_run_permission( + mut main: UnaryPermission<RunDescriptor>, + worker: Option<UnaryPermission<RunDescriptor>>, +) -> Result<UnaryPermission<RunDescriptor>, AnyError> { + if let Some(worker) = worker { + if (worker.global_state < main.global_state) + || !worker.granted_list.iter().all(|x| main.check(&x.0).is_ok()) + { + return Err(custom_error( + "PermissionDenied", + "Can't escalate parent thread permissions", + )); + } else { + main.global_state = worker.global_state; + main.granted_list = worker.granted_list; + } + } + Ok(main) +} + fn create_worker_permissions( main_perms: Permissions, worker_perms: PermissionsArg, @@ -199,7 +220,7 @@ fn create_worker_permissions( net: merge_net_permission(main_perms.net, worker_perms.net)?, plugin: merge_boolean_permission(main_perms.plugin, worker_perms.plugin)?, read: merge_read_permission(main_perms.read, worker_perms.read)?, - run: merge_boolean_permission(main_perms.run, worker_perms.run)?, + run: merge_run_permission(main_perms.run, worker_perms.run)?, write: merge_write_permission(main_perms.write, worker_perms.write)?, }) } @@ -216,8 +237,8 @@ struct PermissionsArg { plugin: Option<PermissionState>, #[serde(default, deserialize_with = "as_unary_read_permission")] read: Option<UnaryPermission<ReadDescriptor>>, - #[serde(default, deserialize_with = "as_permission_state")] - run: Option<PermissionState>, + #[serde(default, deserialize_with = "as_unary_run_permission")] + run: Option<UnaryPermission<RunDescriptor>>, #[serde(default, deserialize_with = "as_unary_write_permission")] write: Option<UnaryPermission<WriteDescriptor>>, } @@ -349,6 +370,22 @@ where })) } +fn as_unary_run_permission<'de, D>( + deserializer: D, +) -> Result<Option<UnaryPermission<RunDescriptor>>, D::Error> +where + D: Deserializer<'de>, +{ + let value: UnaryPermissionBase = + deserializer.deserialize_any(ParseBooleanOrStringVec)?; + + Ok(Some(UnaryPermission::<RunDescriptor> { + global_state: value.global_state, + granted_list: value.paths.into_iter().map(RunDescriptor).collect(), + ..Default::default() + })) +} + #[derive(Deserialize)] #[serde(rename_all = "camelCase")] pub struct CreateWorkerArgs { diff --git a/runtime/permissions.rs b/runtime/permissions.rs index 45b7c0bf1..dba6dc1a5 100644 --- a/runtime/permissions.rs +++ b/runtime/permissions.rs @@ -146,6 +146,9 @@ impl fmt::Display for NetDescriptor { } } +#[derive(Clone, Eq, PartialEq, Hash, Debug, Default, Deserialize)] +pub struct RunDescriptor(pub String); + impl UnaryPermission<ReadDescriptor> { pub fn query(&self, path: Option<&Path>) -> PermissionState { let path = path.map(|p| resolve_from_cwd(p).unwrap()); @@ -466,13 +469,126 @@ impl UnaryPermission<NetDescriptor> { } } +impl UnaryPermission<RunDescriptor> { + pub fn query(&self, cmd: Option<&str>) -> PermissionState { + if self.global_state == PermissionState::Denied + && match cmd { + None => true, + Some(cmd) => self.denied_list.iter().any(|cmd_| cmd_.0 == cmd), + } + { + PermissionState::Denied + } else if self.global_state == PermissionState::Granted + || match cmd { + None => false, + Some(cmd) => self.granted_list.iter().any(|cmd_| cmd_.0 == cmd), + } + { + PermissionState::Granted + } else { + PermissionState::Prompt + } + } + + pub fn request(&mut self, cmd: Option<&str>) -> PermissionState { + if let Some(cmd) = cmd { + let state = self.query(Some(&cmd)); + if state == PermissionState::Prompt { + if permission_prompt(&format!("run access to \"{}\"", cmd)) { + self.granted_list.retain(|cmd_| cmd_.0 != cmd); + self.granted_list.insert(RunDescriptor(cmd.to_string())); + PermissionState::Granted + } else { + self.denied_list.retain(|cmd_| cmd_.0 != cmd); + self.denied_list.insert(RunDescriptor(cmd.to_string())); + self.global_state = PermissionState::Denied; + PermissionState::Denied + } + } else { + state + } + } else { + let state = self.query(None); + if state == PermissionState::Prompt { + if permission_prompt("run access") { + self.granted_list.clear(); + self.global_state = PermissionState::Granted; + PermissionState::Granted + } else { + self.global_state = PermissionState::Denied; + PermissionState::Denied + } + } else { + state + } + } + } + + pub fn revoke(&mut self, cmd: Option<&str>) -> PermissionState { + if let Some(cmd) = cmd { + self.granted_list.retain(|cmd_| cmd_.0 != cmd); + } else { + self.granted_list.clear(); + if self.global_state == PermissionState::Granted { + self.global_state = PermissionState::Prompt; + } + } + self.query(cmd) + } + + pub fn check(&self, cmd: &str) -> Result<(), AnyError> { + self + .query(Some(cmd)) + .check(self.name, Some(&format!("\"{}\"", cmd))) + } + + pub fn check_all(&self) -> Result<(), AnyError> { + self.query(None).check(self.name, Some("all")) + } +} + +#[derive(Clone, Debug, Default, PartialEq)] +pub struct BooleanPermission { + pub name: &'static str, + pub description: &'static str, + pub state: PermissionState, +} + +impl BooleanPermission { + pub fn query(&self) -> PermissionState { + self.state + } + + pub fn request(&mut self) -> PermissionState { + if self.state == PermissionState::Prompt { + if permission_prompt(&format!("access to {}", self.description)) { + self.state = PermissionState::Granted; + } else { + self.state = PermissionState::Denied; + } + } + self.state + } + + pub fn revoke(&mut self) -> PermissionState { + if self.state == PermissionState::Granted { + self.state = PermissionState::Prompt; + } + self.state + } + + pub fn check(&self) -> Result<(), AnyError> { + self.state.check(self.name, None) + } +} + #[derive(Clone, Debug, Default, PartialEq)] pub struct Permissions { pub read: UnaryPermission<ReadDescriptor>, pub write: UnaryPermission<WriteDescriptor>, pub net: UnaryPermission<NetDescriptor>, pub env: UnitPermission, - pub run: UnitPermission, + pub run: UnaryPermission<RunDescriptor>, pub plugin: UnitPermission, pub hrtime: UnitPermission, } @@ -484,7 +600,7 @@ pub struct PermissionsOptions { pub allow_net: Option<Vec<String>>, pub allow_plugin: bool, pub allow_read: Option<Vec<PathBuf>>, - pub allow_run: bool, + pub allow_run: Option<Vec<String>>, pub allow_write: Option<Vec<PathBuf>>, } @@ -536,8 +652,19 @@ impl Permissions { boolean_permission_from_flag_bool(state, "env", "environment variables") } - pub fn new_run(state: bool) -> UnitPermission { - boolean_permission_from_flag_bool(state, "run", "run a subprocess") + pub fn new_run( + state: &Option<Vec<String>>, + ) -> UnaryPermission<RunDescriptor> { + UnaryPermission::<RunDescriptor> { + name: "run", + description: "run a subprocess", + global_state: global_state_from_option(state), + granted_list: state + .as_ref() + .map(|v| v.iter().map(|x| RunDescriptor(x.clone())).collect()) + .unwrap_or_else(HashSet::new), + denied_list: Default::default(), + } } pub fn new_plugin(state: bool) -> UnitPermission { @@ -554,7 +681,7 @@ impl Permissions { write: Permissions::new_write(&opts.allow_write), net: Permissions::new_net(&opts.allow_net), env: Permissions::new_env(opts.allow_env), - run: Permissions::new_run(opts.allow_run), + run: Permissions::new_run(&opts.allow_run), plugin: Permissions::new_plugin(opts.allow_plugin), hrtime: Permissions::new_hrtime(opts.allow_hrtime), } @@ -566,7 +693,7 @@ impl Permissions { write: Permissions::new_write(&Some(vec![])), net: Permissions::new_net(&Some(vec![])), env: Permissions::new_env(true), - run: Permissions::new_run(true), + run: Permissions::new_run(&Some(vec![])), plugin: Permissions::new_plugin(true), hrtime: Permissions::new_hrtime(true), } @@ -1062,9 +1189,9 @@ mod tests { state: PermissionState::Prompt, ..Default::default() }, - run: UnitPermission { - state: PermissionState::Prompt, - ..Default::default() + run: UnaryPermission { + global_state: PermissionState::Prompt, + ..Permissions::new_run(&Some(svec!["deno"])) }, plugin: UnitPermission { state: PermissionState::Prompt, @@ -1093,8 +1220,10 @@ mod tests { assert_eq!(perms2.net.query(Some(&("127.0.0.1", Some(8000)))), PermissionState::Granted); assert_eq!(perms1.env.query(), PermissionState::Granted); assert_eq!(perms2.env.query(), PermissionState::Prompt); - assert_eq!(perms1.run.query(), PermissionState::Granted); - assert_eq!(perms2.run.query(), PermissionState::Prompt); + assert_eq!(perms1.run.query(None), PermissionState::Granted); + assert_eq!(perms1.run.query(Some(&"deno".to_string())), PermissionState::Granted); + assert_eq!(perms2.run.query(None), PermissionState::Prompt); + assert_eq!(perms2.run.query(Some(&"deno".to_string())), PermissionState::Granted); assert_eq!(perms1.plugin.query(), PermissionState::Granted); assert_eq!(perms2.plugin.query(), PermissionState::Prompt); assert_eq!(perms1.hrtime.query(), PermissionState::Granted); @@ -1126,10 +1255,11 @@ mod tests { assert_eq!(perms.env.request(), PermissionState::Granted); set_prompt_result(false); assert_eq!(perms.env.request(), PermissionState::Granted); - set_prompt_result(false); - assert_eq!(perms.run.request(), PermissionState::Denied); set_prompt_result(true); - assert_eq!(perms.run.request(), PermissionState::Denied); + assert_eq!(perms.run.request(Some(&"deno".to_string())), PermissionState::Granted); + assert_eq!(perms.run.query(None), PermissionState::Prompt); + set_prompt_result(false); + assert_eq!(perms.run.request(Some(&"deno".to_string())), PermissionState::Granted); set_prompt_result(true); assert_eq!(perms.plugin.request(), PermissionState::Granted); set_prompt_result(false); @@ -1160,9 +1290,9 @@ mod tests { state: PermissionState::Granted, ..Default::default() }, - run: UnitPermission { - state: PermissionState::Granted, - ..Default::default() + run: UnaryPermission { + global_state: PermissionState::Prompt, + ..Permissions::new_run(&Some(svec!["deno"])) }, plugin: UnitPermission { state: PermissionState::Prompt, @@ -1184,7 +1314,7 @@ mod tests { assert_eq!(perms.net.revoke(Some(&("127.0.0.1", Some(8000)))), PermissionState::Granted); assert_eq!(perms.net.revoke(Some(&("127.0.0.1", None))), PermissionState::Prompt); assert_eq!(perms.env.revoke(), PermissionState::Prompt); - assert_eq!(perms.run.revoke(), PermissionState::Prompt); + assert_eq!(perms.run.revoke(Some(&"deno".to_string())), PermissionState::Prompt); assert_eq!(perms.plugin.revoke(), PermissionState::Prompt); assert_eq!(perms.hrtime.revoke(), PermissionState::Denied); }; |