From 74fc66da110ec20d12751e7a0922cea300314399 Mon Sep 17 00:00:00 2001 From: David Sherret Date: Wed, 4 Sep 2024 14:51:24 +0200 Subject: fix: lock down allow-run permissions more (#25370) `--allow-run` even with an allow list has essentially been `--allow-all`... this locks it down more. 1. Resolves allow list for `--allow-run=` on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to `--deny-write` 1. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command. --- cli/task_runner.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'cli/task_runner.rs') diff --git a/cli/task_runner.rs b/cli/task_runner.rs index e8937590d..ab7163bc9 100644 --- a/cli/task_runner.rs +++ b/cli/task_runner.rs @@ -213,8 +213,8 @@ impl ShellCommand for NodeGypCommand { ) -> LocalBoxFuture<'static, ExecuteResult> { // at the moment this shell command is just to give a warning if node-gyp is not found // in the future, we could try to run/install node-gyp for the user with deno - if which::which("node-gyp").is_err() { - log::warn!("{}: node-gyp was used in a script, but was not listed as a dependency. Either add it as a dependency or install it globally (e.g. `npm install -g node-gyp`)", crate::colors::yellow("warning")); + if context.state.resolve_command_path("node-gyp").is_err() { + log::warn!("{} node-gyp was used in a script, but was not listed as a dependency. Either add it as a dependency or install it globally (e.g. `npm install -g node-gyp`)", crate::colors::yellow("Warning")); } ExecutableCommand::new( "node-gyp".to_string(), -- cgit v1.2.3