diff options
Diffstat (limited to 'tests')
10 files changed, 23 insertions, 11 deletions
diff --git a/tests/napi/cleanup_hook_test.js b/tests/napi/cleanup_hook_test.js index 017674ad4..2c1f73e12 100644 --- a/tests/napi/cleanup_hook_test.js +++ b/tests/napi/cleanup_hook_test.js @@ -17,9 +17,7 @@ if (import.meta.main) { "--config", Deno.realPathSync("../config/deno.json"), "--no-lock", - "--allow-read", - "--allow-run", - "--allow-ffi", + "-A", "--unstable-ffi", import.meta.url, ], diff --git a/tests/specs/permission/deny_run_binary_absolute_path/main.out b/tests/specs/permission/deny_run_binary_absolute_path/main.out index 45b228387..7f11e7880 100644 --- a/tests/specs/permission/deny_run_binary_absolute_path/main.out +++ b/tests/specs/permission/deny_run_binary_absolute_path/main.out @@ -1,3 +1,4 @@ +Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) NotCapable: Requires run access to "deno", run again with the --allow-run flag at [WILDCARD] { name: "NotCapable" diff --git a/tests/specs/permission/path_not_permitted/main.out b/tests/specs/permission/path_not_permitted/main.out index b057d0a63..02e5b937f 100644 --- a/tests/specs/permission/path_not_permitted/main.out +++ b/tests/specs/permission/path_not_permitted/main.out @@ -1,10 +1,10 @@ Running... -NotCapable: Requires run access to "deno", run again with the --allow-run flag +NotCapable: Requires run access to "binary", run again with the --allow-run flag [WILDCARD] at file:///[WILDLINE]/sub.ts:15:5 { name: "NotCapable" } -NotCapable: Requires run access to "deno", run again with the --allow-run flag +NotCapable: Requires run access to "binary", run again with the --allow-run flag [WILDCARD] at file:///[WILDLINE]/sub.ts:23:22 { name: "NotCapable" diff --git a/tests/specs/permission/path_not_permitted/main.ts b/tests/specs/permission/path_not_permitted/main.ts index 0cc141e7a..0587db916 100644 --- a/tests/specs/permission/path_not_permitted/main.ts +++ b/tests/specs/permission/path_not_permitted/main.ts @@ -1,4 +1,4 @@ -const binaryName = Deno.build.os === "windows" ? "deno.exe" : "deno"; +const binaryName = Deno.build.os === "windows" ? "binary.exe" : "binary"; Deno.copyFileSync(Deno.execPath(), binaryName); console.log("Running..."); @@ -9,9 +9,12 @@ new Deno.Command( "run", "--allow-write", "--allow-read", - `--allow-run=deno`, + `--allow-run=binary`, "sub.ts", ], + env: { + PATH: Deno.cwd(), + }, stderr: "inherit", stdout: "inherit", }, diff --git a/tests/specs/permission/path_not_permitted/sub.ts b/tests/specs/permission/path_not_permitted/sub.ts index ea527a938..e501b5b7b 100644 --- a/tests/specs/permission/path_not_permitted/sub.ts +++ b/tests/specs/permission/path_not_permitted/sub.ts @@ -1,4 +1,4 @@ -const binaryName = Deno.build.os === "windows" ? "deno.exe" : "deno"; +const binaryName = Deno.build.os === "windows" ? "binary.exe" : "binary"; const pathSep = Deno.build.os === "windows" ? "\\" : "/"; Deno.mkdirSync("subdir"); @@ -6,7 +6,7 @@ Deno.copyFileSync(binaryName, "subdir/" + binaryName); try { const commandResult = new Deno.Command( - "deno", + "binary", { env: { "PATH": Deno.cwd() + pathSep + "subdir" }, stdout: "inherit", @@ -22,7 +22,7 @@ try { try { const child = Deno.run( { - cmd: ["deno"], + cmd: ["binary"], env: { "PATH": Deno.cwd() + pathSep + "subdir" }, stdout: "inherit", stderr: "inherit", diff --git a/tests/specs/run/allow_run_insecure_warnings/__test__.jsonc b/tests/specs/run/allow_run_insecure_warnings/__test__.jsonc new file mode 100644 index 000000000..b64146ee9 --- /dev/null +++ b/tests/specs/run/allow_run_insecure_warnings/__test__.jsonc @@ -0,0 +1,8 @@ +{ + "tests": { + "no_allow_list": { + "args": "run --allow-run main.ts", + "output": "no_allow_list.out" + } + } +} diff --git a/tests/specs/run/allow_run_insecure_warnings/main.ts b/tests/specs/run/allow_run_insecure_warnings/main.ts new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/tests/specs/run/allow_run_insecure_warnings/main.ts diff --git a/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out b/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out new file mode 100644 index 000000000..277d0036c --- /dev/null +++ b/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out @@ -0,0 +1 @@ +Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) diff --git a/tests/specs/test/captured_output/__test__.jsonc b/tests/specs/test/captured_output/__test__.jsonc index d620f61aa..f56c54555 100644 --- a/tests/specs/test/captured_output/__test__.jsonc +++ b/tests/specs/test/captured_output/__test__.jsonc @@ -1,5 +1,5 @@ { - "args": "test --allow-run --allow-read captured_output.ts", + "args": "test -A captured_output.ts", "output": "main.out", "envs": { "NO_COLOR": "1" }, "exitCode": 0 diff --git a/tests/testdata/run/deny_some_permission_args.out b/tests/testdata/run/deny_some_permission_args.out index abb5274ee..fe3e57d69 100644 --- a/tests/testdata/run/deny_some_permission_args.out +++ b/tests/testdata/run/deny_some_permission_args.out @@ -1,3 +1,4 @@ +Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) PermissionStatus { state: "granted", onchange: null, partial: true } PermissionStatus { state: "denied", onchange: null } PermissionStatus { state: "granted", onchange: null } |