summaryrefslogtreecommitdiff
path: root/runtime/ops/worker_host.rs
diff options
context:
space:
mode:
Diffstat (limited to 'runtime/ops/worker_host.rs')
-rw-r--r--runtime/ops/worker_host.rs48
1 files changed, 45 insertions, 3 deletions
diff --git a/runtime/ops/worker_host.rs b/runtime/ops/worker_host.rs
index 92de420e3..905ae1334 100644
--- a/runtime/ops/worker_host.rs
+++ b/runtime/ops/worker_host.rs
@@ -1,6 +1,8 @@
// Copyright 2018-2021 the Deno authors. All rights reserved. MIT license.
+
use crate::permissions::resolve_read_allowlist;
use crate::permissions::resolve_write_allowlist;
+use crate::permissions::EnvDescriptor;
use crate::permissions::NetDescriptor;
use crate::permissions::PermissionState;
use crate::permissions::Permissions;
@@ -186,6 +188,26 @@ fn merge_write_permission(
Ok(main)
}
+fn merge_env_permission(
+ mut main: UnaryPermission<EnvDescriptor>,
+ worker: Option<UnaryPermission<EnvDescriptor>>,
+) -> Result<UnaryPermission<EnvDescriptor>, AnyError> {
+ if let Some(worker) = worker {
+ if (worker.global_state < main.global_state)
+ || !worker.granted_list.iter().all(|x| main.check(&x.0).is_ok())
+ {
+ return Err(custom_error(
+ "PermissionDenied",
+ "Can't escalate parent thread permissions",
+ ));
+ } else {
+ main.global_state = worker.global_state;
+ main.granted_list = worker.granted_list;
+ }
+ }
+ Ok(main)
+}
+
fn merge_run_permission(
mut main: UnaryPermission<RunDescriptor>,
worker: Option<UnaryPermission<RunDescriptor>>,
@@ -211,7 +233,7 @@ fn create_worker_permissions(
worker_perms: PermissionsArg,
) -> Result<Permissions, AnyError> {
Ok(Permissions {
- env: merge_boolean_permission(main_perms.env, worker_perms.env)?,
+ env: merge_env_permission(main_perms.env, worker_perms.env)?,
hrtime: merge_boolean_permission(main_perms.hrtime, worker_perms.hrtime)?,
net: merge_net_permission(main_perms.net, worker_perms.net)?,
plugin: merge_boolean_permission(main_perms.plugin, worker_perms.plugin)?,
@@ -223,8 +245,8 @@ fn create_worker_permissions(
#[derive(Debug, Deserialize)]
struct PermissionsArg {
- #[serde(default, deserialize_with = "as_permission_state")]
- env: Option<PermissionState>,
+ #[serde(default, deserialize_with = "as_unary_env_permission")]
+ env: Option<UnaryPermission<EnvDescriptor>>,
#[serde(default, deserialize_with = "as_permission_state")]
hrtime: Option<PermissionState>,
#[serde(default, deserialize_with = "as_unary_net_permission")]
@@ -366,6 +388,26 @@ where
}))
}
+fn as_unary_env_permission<'de, D>(
+ deserializer: D,
+) -> Result<Option<UnaryPermission<EnvDescriptor>>, D::Error>
+where
+ D: Deserializer<'de>,
+{
+ let value: UnaryPermissionBase =
+ deserializer.deserialize_any(ParseBooleanOrStringVec)?;
+
+ Ok(Some(UnaryPermission::<EnvDescriptor> {
+ global_state: value.global_state,
+ granted_list: value
+ .paths
+ .into_iter()
+ .map(|env| EnvDescriptor(env.to_uppercase()))
+ .collect(),
+ ..Default::default()
+ }))
+}
+
fn as_unary_run_permission<'de, D>(
deserializer: D,
) -> Result<Option<UnaryPermission<RunDescriptor>>, D::Error>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-27 09:48:42 +0000