From 5504acea6751480f1425c88353ad5d36257bdce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Thu, 26 Sep 2024 02:50:54 +0100 Subject: feat: add `--allow-import` flag (#25469) This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret --- cli/tools/repl/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'cli/tools/repl') diff --git a/cli/tools/repl/mod.rs b/cli/tools/repl/mod.rs index 24bc8e30a..a30304687 100644 --- a/cli/tools/repl/mod.rs +++ b/cli/tools/repl/mod.rs @@ -162,7 +162,7 @@ pub async fn run( let factory = CliFactory::from_flags(flags); let cli_options = factory.cli_options()?; let main_module = cli_options.resolve_main_module()?; - let permissions = factory.create_permissions_container()?; + let permissions = factory.root_permissions_container()?; let npm_resolver = factory.npm_resolver().await?.clone(); let resolver = factory.resolver().await?.clone(); let file_fetcher = factory.file_fetcher()?; @@ -177,7 +177,7 @@ pub async fn run( .create_custom_worker( WorkerExecutionMode::Repl, main_module.clone(), - permissions, + permissions.clone(), vec![crate::ops::testing::deno_test::init_ops(test_event_sender)], Default::default(), ) @@ -189,7 +189,7 @@ pub async fn run( npm_resolver, resolver, worker, - main_module, + main_module.clone(), test_event_receiver, ) .await?; -- cgit v1.2.3