From 74fc66da110ec20d12751e7a0922cea300314399 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Wed, 4 Sep 2024 14:51:24 +0200
Subject: fix: lock down allow-run permissions more (#25370)

`--allow-run` even with an allow list has essentially been
`--allow-all`... this locks it down more.

1. Resolves allow list for `--allow-run=` on startup to an absolute
path, then uses these paths when evaluating if a command can execute.
Also, adds these paths to `--deny-write`
1. Resolves the environment (cwd and env vars) before evaluating
permissions and before executing a command. Then uses this environment
to evaluate the permissions and then evaluate the command.
---
 tests/testdata/allow_run_allowlist_resolution.ts   | 66 ----------------------
 .../testdata/allow_run_allowlist_resolution.ts.out | 15 -----
 tests/testdata/run/089_run_allow_list.ts.out       |  2 +-
 3 files changed, 1 insertion(+), 82 deletions(-)
 delete mode 100644 tests/testdata/allow_run_allowlist_resolution.ts
 delete mode 100644 tests/testdata/allow_run_allowlist_resolution.ts.out

(limited to 'tests/testdata')

diff --git a/tests/testdata/allow_run_allowlist_resolution.ts b/tests/testdata/allow_run_allowlist_resolution.ts
deleted file mode 100644
index c7369d928..000000000
--- a/tests/testdata/allow_run_allowlist_resolution.ts
+++ /dev/null
@@ -1,66 +0,0 @@
-// Testing the following (but with `deno` instead of `echo`):
-// | `deno run --allow-run=echo`         | `which path == "/usr/bin/echo"` at startup | `which path != "/usr/bin/echo"` at startup |
-// |-------------------------------------|--------------------------------------------|--------------------------------------------|
-// | **`Deno.Command("echo")`**          | ✅                                          | ✅                                          |
-// | **`Deno.Command("/usr/bin/echo")`** | ✅                                          | ❌                                          |
-
-// | `deno run --allow-run=/usr/bin/echo | `which path == "/usr/bin/echo"` at runtime | `which path != "/usr/bin/echo"` at runtime |
-// |-------------------------------------|--------------------------------------------|--------------------------------------------|
-// | **`Deno.Command("echo")`**          | ✅                                          | ❌                                          |
-// | **`Deno.Command("/usr/bin/echo")`** | ✅                                          | ✅                                          |
-
-const execPath = Deno.execPath();
-const execPathParent = execPath.replace(/[/\\][^/\\]+$/, "");
-
-const testUrl = `data:application/typescript;base64,${
-  btoa(`
-  console.log(await Deno.permissions.query({ name: "run", command: "deno" }));
-  console.log(await Deno.permissions.query({ name: "run", command: "${
-    execPath.replaceAll("\\", "\\\\")
-  }" }));
-  Deno.env.set("PATH", "");
-  console.log(await Deno.permissions.query({ name: "run", command: "deno" }));
-  console.log(await Deno.permissions.query({ name: "run", command: "${
-    execPath.replaceAll("\\", "\\\\")
-  }" }));
-`)
-}`;
-
-const process1 = await new Deno.Command(Deno.execPath(), {
-  args: [
-    "run",
-    "--quiet",
-    "--allow-env",
-    "--allow-run=deno",
-    testUrl,
-  ],
-  stderr: "null",
-  env: { "PATH": execPathParent },
-}).output();
-console.log(new TextDecoder().decode(process1.stdout));
-
-const process2 = await new Deno.Command(Deno.execPath(), {
-  args: [
-    "run",
-    "--quiet",
-    "--allow-env",
-    "--allow-run=deno",
-    testUrl,
-  ],
-  stderr: "null",
-  env: { "PATH": "" },
-}).output();
-console.log(new TextDecoder().decode(process2.stdout));
-
-const process3 = await new Deno.Command(Deno.execPath(), {
-  args: [
-    "run",
-    "--quiet",
-    "--allow-env",
-    `--allow-run=${execPath}`,
-    testUrl,
-  ],
-  stderr: "null",
-  env: { "PATH": execPathParent },
-}).output();
-console.log(new TextDecoder().decode(process3.stdout));
diff --git a/tests/testdata/allow_run_allowlist_resolution.ts.out b/tests/testdata/allow_run_allowlist_resolution.ts.out
deleted file mode 100644
index 16ba6754a..000000000
--- a/tests/testdata/allow_run_allowlist_resolution.ts.out
+++ /dev/null
@@ -1,15 +0,0 @@
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "prompt", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "prompt", onchange: null }
-
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-PermissionStatus { state: "prompt", onchange: null }
-PermissionStatus { state: "granted", onchange: null }
-
diff --git a/tests/testdata/run/089_run_allow_list.ts.out b/tests/testdata/run/089_run_allow_list.ts.out
index 68a4a2ac5..0fc1c80c2 100644
--- a/tests/testdata/run/089_run_allow_list.ts.out
+++ b/tests/testdata/run/089_run_allow_list.ts.out
@@ -1,3 +1,3 @@
-[WILDCARD]PermissionDenied: Requires run access to "ls", run again with the --allow-run flag
+[WILDCARD]PermissionDenied: Requires run access to "[WILDLINE]ls[WILDLINE]", run again with the --allow-run flag
 [WILDCARD]
 true
-- 
cgit v1.2.3