From 5504acea6751480f1425c88353ad5d36257bdce7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= <biwanczuk@gmail.com>
Date: Thu, 26 Sep 2024 02:50:54 +0100
Subject: feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>
---
 cli/standalone/mod.rs | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

(limited to 'cli/standalone')

diff --git a/cli/standalone/mod.rs b/cli/standalone/mod.rs
index bab266734..c501d2d6b 100644
--- a/cli/standalone/mod.rs
+++ b/cli/standalone/mod.rs
@@ -130,8 +130,6 @@ struct SharedModuleLoaderState {
 #[derive(Clone)]
 struct EmbeddedModuleLoader {
   shared: Arc<SharedModuleLoaderState>,
-  root_permissions: PermissionsContainer,
-  dynamic_permissions: PermissionsContainer,
 }
 
 pub const MODULE_NOT_FOUND: &str = "Module not found";
@@ -402,28 +400,23 @@ struct StandaloneModuleLoaderFactory {
 impl ModuleLoaderFactory for StandaloneModuleLoaderFactory {
   fn create_for_main(
     &self,
-    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
+    _root_permissions: PermissionsContainer,
   ) -> ModuleLoaderAndSourceMapGetter {
     ModuleLoaderAndSourceMapGetter {
       module_loader: Rc::new(EmbeddedModuleLoader {
         shared: self.shared.clone(),
-        root_permissions,
-        dynamic_permissions,
       }),
     }
   }
 
   fn create_for_worker(
     &self,
-    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
+    _parent_permissions: PermissionsContainer,
+    _permissions: PermissionsContainer,
   ) -> ModuleLoaderAndSourceMapGetter {
     ModuleLoaderAndSourceMapGetter {
       module_loader: Rc::new(EmbeddedModuleLoader {
         shared: self.shared.clone(),
-        root_permissions,
-        dynamic_permissions,
       }),
     }
   }
@@ -664,7 +657,8 @@ pub async fn run(
   };
 
   let permissions = {
-    let mut permissions = metadata.permissions.to_options();
+    let mut permissions =
+      metadata.permissions.to_options(/* cli_arg_urls */ &[]);
     // if running with an npm vfs, grant read access to it
     if let Some(vfs_root) = maybe_vfs_root {
       match &mut permissions.allow_read {
@@ -713,6 +707,7 @@ pub async fn run(
     npm_resolver,
     permission_desc_parser,
     root_cert_store_provider,
+    permissions,
     StorageKeyResolver::empty(),
     crate::args::DenoSubcommand::Run(Default::default()),
     CliMainWorkerOptions {
@@ -752,7 +747,7 @@ pub async fn run(
   deno_core::JsRuntime::init_platform(None, true);
 
   let mut worker = worker_factory
-    .create_main_worker(WorkerExecutionMode::Run, main_module, permissions)
+    .create_main_worker(WorkerExecutionMode::Run, main_module)
     .await?;
 
   let exit_code = worker.run().await?;
-- 
cgit v1.2.3