From 5504acea6751480f1425c88353ad5d36257bdce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Thu, 26 Sep 2024 02:50:54 +0100 Subject: feat: add `--allow-import` flag (#25469) This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret --- .../node_test_module_no_sanitizers/__test__.jsonc | 9 +++++++ .../test_no_sanitizers/cat.ts | 4 ++++ .../test_no_sanitizers/test.js | 28 ++++++++++++++++++++++ .../test_no_sanitizers/test.out | 7 ++++++ .../test_no_sanitizers/welcome.ts | 1 + 5 files changed, 49 insertions(+) create mode 100644 tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc create mode 100644 tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts create mode 100644 tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js create mode 100644 tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out create mode 100644 tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts (limited to 'tests/specs/node/node_test_module_no_sanitizers') diff --git a/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc b/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc new file mode 100644 index 000000000..0a9a9524b --- /dev/null +++ b/tests/specs/node/node_test_module_no_sanitizers/__test__.jsonc @@ -0,0 +1,9 @@ +{ + "args": "test -A --no-check test_no_sanitizers/test.js", + "output": "test_no_sanitizers/test.out", + "envs": { + "NO_COLOR": "1", + "NPM_CONFIG_REGISTRY": "http://localhost:4260/" + }, + "exitCode": 0 +} diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts new file mode 100644 index 000000000..62c82ebca --- /dev/null +++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/cat.ts @@ -0,0 +1,4 @@ +const filename = Deno.args[0]; +using file = await Deno.open(filename); + +await file.readable.pipeTo(Deno.stdout.writable); diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js new file mode 100644 index 000000000..52d0f1325 --- /dev/null +++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.js @@ -0,0 +1,28 @@ +import test from "node:test"; +test("should not complain about resource and op sanitizers", async (t) => { + // resource + const _file1 = Deno.open("test_no_sanitizers/welcome.ts"); + + await t.test("nested test", () => { + // resource + const _file2 = Deno.open("test_no_sanitizers/cat.ts"); + + // op + crypto.subtle.digest( + "SHA-256", + new TextEncoder().encode("a".repeat(1_000_000)), + ); + }); + + // op + crypto.subtle.digest( + "SHA-256", + new TextEncoder().encode("a".repeat(1_000_000)), + ); +}); + +// TODO(mmastrac): This works, but we don't reliably flush stdout/stderr here, making this test flake +// test("should allow exit", () => { +// // no exit sanitizers +// Deno.exit(123); +// }); diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out new file mode 100644 index 000000000..dc5ab7cfd --- /dev/null +++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/test.out @@ -0,0 +1,7 @@ +running 1 test from ./test_no_sanitizers/test.js +should not complain about resource and op sanitizers ... + nested test ... ok ([WILDCARD]) +should not complain about resource and op sanitizers ... ok ([WILDCARD]) + +ok | 1 passed (1 step) | 0 failed ([WILDCARD]) + diff --git a/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts new file mode 100644 index 000000000..f983ca89b --- /dev/null +++ b/tests/specs/node/node_test_module_no_sanitizers/test_no_sanitizers/welcome.ts @@ -0,0 +1 @@ +console.log("Welcome to Deno!"); -- cgit v1.2.3