From 22e0ee92a6618db0168b9dfce6c598b6df207a4c Mon Sep 17 00:00:00 2001 From: Nayeem Rahman Date: Wed, 30 Dec 2020 22:35:28 +0000 Subject: BREAKING(unstable): Use hosts for net allowlists (#8845) Allowlist checking already uses hosts but for some reason requests, revokes and the runtime permissions API use URLs. - BREAKING(lib.deno.unstable.d.ts): Change NetPermissionDescriptor::url to NetPermissionDescriptor::host - fix(runtime/permissions): Don't add whole URLs to the allowlist on request - fix(runtime/permissions): Harden strength semantics: ({ name: "net", host: "127.0.0.1" } is stronger than { name: "net", host: "127.0.0.1:8000" }) for blocklisting - refactor(runtime/permissions): Use tuples for hosts, make the host optional in Permissions::{query_net, request_net, revoke_net}() --- cli/dts/lib.deno.unstable.d.ts | 11 +++++------ cli/tests/error_015_dynamic_import_permissions.out | 2 +- cli/tests/error_worker_permissions_remote.ts.out | 2 +- cli/tests/unit/permissions_test.ts | 4 ++-- 4 files changed, 9 insertions(+), 10 deletions(-) (limited to 'cli') diff --git a/cli/dts/lib.deno.unstable.d.ts b/cli/dts/lib.deno.unstable.d.ts index 3b9754387..b3933762e 100644 --- a/cli/dts/lib.deno.unstable.d.ts +++ b/cli/dts/lib.deno.unstable.d.ts @@ -1085,13 +1085,12 @@ declare namespace Deno { export interface NetPermissionDescriptor { name: "net"; - /** Optional url associated with this descriptor. + /** Optional host string of the form `"[:]"`. Examples: * - * If specified: must be a valid url. Expected format: ://[:port][/path] - * If the scheme is unknown, callers should specify some scheme, such as x:// na:// unknown:// - * - * See: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml */ - url?: string; + * "github.com" + * "deno.land:8080" + */ + host?: string; } export interface EnvPermissionDescriptor { diff --git a/cli/tests/error_015_dynamic_import_permissions.out b/cli/tests/error_015_dynamic_import_permissions.out index 577dbcc5c..b3d628990 100644 --- a/cli/tests/error_015_dynamic_import_permissions.out +++ b/cli/tests/error_015_dynamic_import_permissions.out @@ -1 +1 @@ -error: Uncaught (in promise) TypeError: network access to "http://localhost:4545/cli/tests/subdir/mod4.js", run again with the --allow-net flag +error: Uncaught (in promise) TypeError: network access to "localhost:4545", run again with the --allow-net flag diff --git a/cli/tests/error_worker_permissions_remote.ts.out b/cli/tests/error_worker_permissions_remote.ts.out index 6cf63fa22..5bbc58b34 100644 --- a/cli/tests/error_worker_permissions_remote.ts.out +++ b/cli/tests/error_worker_permissions_remote.ts.out @@ -1,3 +1,3 @@ [WILDCARD] -error: Uncaught (in worker "") network access to "http://localhost:4545/cli/tests/subdir/worker_types.ts", run again with the --allow-net flag +error: Uncaught (in worker "") network access to "localhost:4545", run again with the --allow-net flag [WILDCARD] diff --git a/cli/tests/unit/permissions_test.ts b/cli/tests/unit/permissions_test.ts index dee8aa195..3c36f0186 100644 --- a/cli/tests/unit/permissions_test.ts +++ b/cli/tests/unit/permissions_test.ts @@ -13,9 +13,9 @@ unitTest(async function permissionInvalidName(): Promise { }, Error); }); -unitTest(async function permissionNetInvalidUrl(): Promise { +unitTest(async function permissionNetInvalidHost(): Promise { await assertThrowsAsync(async () => { - await Deno.permissions.query({ name: "net", url: ":" }); + await Deno.permissions.query({ name: "net", host: ":" }); }, URIError); }); -- cgit v1.2.3