summaryrefslogtreecommitdiff
path: root/cli
diff options
context:
space:
mode:
Diffstat (limited to 'cli')
-rw-r--r--cli/dts/lib.deno.ns.d.ts5
-rw-r--r--cli/flags.rs48
-rw-r--r--cli/tests/089_run_allow_list.ts13
-rw-r--r--cli/tests/089_run_allow_list.ts.out3
-rw-r--r--cli/tests/090_run_permissions_request.ts9
-rw-r--r--cli/tests/090_run_permissions_request.ts.out3
-rw-r--r--cli/tests/integration_tests.rs15
7 files changed, 77 insertions, 19 deletions
diff --git a/cli/dts/lib.deno.ns.d.ts b/cli/dts/lib.deno.ns.d.ts
index 4934c642d..09f39d6b8 100644
--- a/cli/dts/lib.deno.ns.d.ts
+++ b/cli/dts/lib.deno.ns.d.ts
@@ -1967,10 +1967,10 @@ declare namespace Deno {
*
* If `stdout` and/or `stderr` were set to `"piped"`, they must be closed
* manually before the process can exit.
- *
+ *
* To run process to completion and collect output from both `stdout` and
* `stderr` use:
- *
+ *
* ```ts
* const p = Deno.run({ cmd, stderr: 'piped', stdout: 'piped' });
* const [status, stdout, stderr] = await Promise.all([
@@ -2135,6 +2135,7 @@ declare namespace Deno {
export interface RunPermissionDescriptor {
name: "run";
+ command?: string;
}
export interface ReadPermissionDescriptor {
diff --git a/cli/flags.rs b/cli/flags.rs
index 6edce35de..eb4bc8641 100644
--- a/cli/flags.rs
+++ b/cli/flags.rs
@@ -133,7 +133,7 @@ pub struct Flags {
pub allow_net: Option<Vec<String>>,
pub allow_plugin: bool,
pub allow_read: Option<Vec<PathBuf>>,
- pub allow_run: bool,
+ pub allow_run: Option<Vec<String>>,
pub allow_write: Option<Vec<PathBuf>>,
pub location: Option<Url>,
pub cache_blocklist: Vec<String>,
@@ -211,8 +211,15 @@ impl Flags {
args.push("--allow-env".to_string());
}
- if self.allow_run {
- args.push("--allow-run".to_string());
+ match &self.allow_run {
+ Some(run_allowlist) if run_allowlist.is_empty() => {
+ args.push("--allow-run".to_string());
+ }
+ Some(run_allowlist) => {
+ let s = format!("--allow-run={}", run_allowlist.join(","));
+ args.push(s);
+ }
+ _ => {}
}
if self.allow_plugin {
@@ -520,7 +527,7 @@ fn repl_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
flags.subcommand = DenoSubcommand::Repl;
flags.allow_net = Some(vec![]);
flags.allow_env = true;
- flags.allow_run = true;
+ flags.allow_run = Some(vec![]);
flags.allow_read = Some(vec![]);
flags.allow_write = Some(vec![]);
flags.allow_plugin = true;
@@ -531,7 +538,7 @@ fn eval_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
runtime_args_parse(flags, matches, false, true);
flags.allow_net = Some(vec![]);
flags.allow_env = true;
- flags.allow_run = true;
+ flags.allow_run = Some(vec![]);
flags.allow_read = Some(vec![]);
flags.allow_write = Some(vec![]);
flags.allow_plugin = true;
@@ -1399,6 +1406,10 @@ fn permission_args<'a, 'b>(app: App<'a, 'b>) -> App<'a, 'b> {
.arg(
Arg::with_name("allow-run")
.long("allow-run")
+ .min_values(0)
+ .takes_value(true)
+ .use_delimiter(true)
+ .require_equals(true)
.help("Allow running subprocesses"),
)
.arg(
@@ -1809,12 +1820,15 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
debug!("net allowlist: {:#?}", &flags.allow_net);
}
+ if let Some(run_wl) = matches.values_of("allow-run") {
+ let run_allowlist: Vec<String> = run_wl.map(ToString::to_string).collect();
+ flags.allow_run = Some(run_allowlist);
+ debug!("run allowlist: {:#?}", &flags.allow_run);
+ }
+
if matches.is_present("allow-env") {
flags.allow_env = true;
}
- if matches.is_present("allow-run") {
- flags.allow_run = true;
- }
if matches.is_present("allow-plugin") {
flags.allow_plugin = true;
}
@@ -1825,7 +1839,7 @@ fn permission_args_parse(flags: &mut Flags, matches: &clap::ArgMatches) {
flags.allow_read = Some(vec![]);
flags.allow_env = true;
flags.allow_net = Some(vec![]);
- flags.allow_run = true;
+ flags.allow_run = Some(vec![]);
flags.allow_write = Some(vec![]);
flags.allow_plugin = true;
flags.allow_hrtime = true;
@@ -2032,7 +2046,7 @@ mod tests {
},
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2404,7 +2418,7 @@ mod tests {
},
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2427,7 +2441,7 @@ mod tests {
},
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2451,7 +2465,7 @@ mod tests {
},
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2488,7 +2502,7 @@ mod tests {
inspect: Some("127.0.0.1:9229".parse().unwrap()),
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2518,7 +2532,7 @@ mod tests {
argv: svec!["arg1", "arg2"],
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2538,7 +2552,7 @@ mod tests {
subcommand: DenoSubcommand::Repl,
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
@@ -2572,7 +2586,7 @@ mod tests {
inspect: Some("127.0.0.1:9229".parse().unwrap()),
allow_net: Some(vec![]),
allow_env: true,
- allow_run: true,
+ allow_run: Some(vec![]),
allow_read: Some(vec![]),
allow_write: Some(vec![]),
allow_plugin: true,
diff --git a/cli/tests/089_run_allow_list.ts b/cli/tests/089_run_allow_list.ts
new file mode 100644
index 000000000..85c1730a1
--- /dev/null
+++ b/cli/tests/089_run_allow_list.ts
@@ -0,0 +1,13 @@
+try {
+ Deno.run({
+ cmd: ["ls"],
+ });
+} catch (e) {
+ console.log(e);
+}
+
+const proc = Deno.run({
+ cmd: ["cat", "089_run_allow_list.ts"],
+ stdout: "null",
+});
+console.log((await proc.status()).success);
diff --git a/cli/tests/089_run_allow_list.ts.out b/cli/tests/089_run_allow_list.ts.out
new file mode 100644
index 000000000..68a4a2ac5
--- /dev/null
+++ b/cli/tests/089_run_allow_list.ts.out
@@ -0,0 +1,3 @@
+[WILDCARD]PermissionDenied: Requires run access to "ls", run again with the --allow-run flag
+[WILDCARD]
+true
diff --git a/cli/tests/090_run_permissions_request.ts b/cli/tests/090_run_permissions_request.ts
new file mode 100644
index 000000000..044bc6e8e
--- /dev/null
+++ b/cli/tests/090_run_permissions_request.ts
@@ -0,0 +1,9 @@
+const status1 =
+ (await Deno.permissions.request({ name: "run", command: "ls" })).state;
+const status2 =
+ (await Deno.permissions.query({ name: "run", command: "cat" })).state;
+const status3 =
+ (await Deno.permissions.request({ name: "run", command: "cat" })).state;
+console.log(status1);
+console.log(status2);
+console.log(status3);
diff --git a/cli/tests/090_run_permissions_request.ts.out b/cli/tests/090_run_permissions_request.ts.out
new file mode 100644
index 000000000..362425876
--- /dev/null
+++ b/cli/tests/090_run_permissions_request.ts.out
@@ -0,0 +1,3 @@
+[WILDCARD]granted
+prompt
+denied
diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs
index 310cb3289..2d4d8995e 100644
--- a/cli/tests/integration_tests.rs
+++ b/cli/tests/integration_tests.rs
@@ -2846,6 +2846,21 @@ console.log("finish");
output: "088_dynamic_import_already_evaluating.ts.out",
});
+ itest!(_089_run_allow_list {
+ args: "run --allow-run=cat 089_run_allow_list.ts",
+ output: "089_run_allow_list.ts.out",
+ });
+
+ #[cfg(unix)]
+ #[test]
+ fn _090_run_permissions_request() {
+ let args = "run 090_run_permissions_request.ts";
+ let output = "090_run_permissions_request.ts.out";
+ let input = b"g\nd\n";
+
+ util::test_pty(args, output, input);
+ }
+
itest!(js_import_detect {
args: "run --quiet --reload js_import_detect.ts",
output: "js_import_detect.ts.out",
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-27 17:10:10 +0000