From 5504acea6751480f1425c88353ad5d36257bdce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Thu, 26 Sep 2024 02:50:54 +0100 Subject: feat: add `--allow-import` flag (#25469) This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret --- tests/testdata/run/lock_write_fetch/main.ts | 3 +++ 1 file changed, 3 insertions(+) (limited to 'tests/testdata/run/lock_write_fetch') diff --git a/tests/testdata/run/lock_write_fetch/main.ts b/tests/testdata/run/lock_write_fetch/main.ts index 4ce631311..d8a50a9aa 100644 --- a/tests/testdata/run/lock_write_fetch/main.ts +++ b/tests/testdata/run/lock_write_fetch/main.ts @@ -9,6 +9,7 @@ const fetchProc = await new Deno.Command(Deno.execPath(), { stderr: "null", args: [ "cache", + "--allow-import", "--reload", "--lock=lock_write_fetch.json", "--cert=tls/RootCA.pem", @@ -23,6 +24,7 @@ const fetchCheckProc = await new Deno.Command(Deno.execPath(), { stderr: "null", args: [ "cache", + "--allow-import", "--lock=lock_write_fetch.json", "--cert=tls/RootCA.pem", "run/https_import.ts", @@ -38,6 +40,7 @@ const runProc = await new Deno.Command(Deno.execPath(), { stderr: "null", args: [ "run", + "--allow-import", "--lock=lock_write_fetch.json", "--allow-read", "--cert=tls/RootCA.pem", -- cgit v1.2.3