From 74fc66da110ec20d12751e7a0922cea300314399 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Wed, 4 Sep 2024 14:51:24 +0200
Subject: fix: lock down allow-run permissions more (#25370)

`--allow-run` even with an allow list has essentially been
`--allow-all`... this locks it down more.

1. Resolves allow list for `--allow-run=` on startup to an absolute
path, then uses these paths when evaluating if a command can execute.
Also, adds these paths to `--deny-write`
1. Resolves the environment (cwd and env vars) before evaluating
permissions and before executing a command. Then uses this environment
to evaluate the permissions and then evaluate the command.
---
 tests/testdata/run/089_run_allow_list.ts.out | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tests/testdata/run')

diff --git a/tests/testdata/run/089_run_allow_list.ts.out b/tests/testdata/run/089_run_allow_list.ts.out
index 68a4a2ac5..0fc1c80c2 100644
--- a/tests/testdata/run/089_run_allow_list.ts.out
+++ b/tests/testdata/run/089_run_allow_list.ts.out
@@ -1,3 +1,3 @@
-[WILDCARD]PermissionDenied: Requires run access to "ls", run again with the --allow-run flag
+[WILDCARD]PermissionDenied: Requires run access to "[WILDLINE]ls[WILDLINE]", run again with the --allow-run flag
 [WILDCARD]
 true
-- 
cgit v1.2.3