Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions whitelist #2129

Merged
merged 20 commits into from May 8, 2019
Merged

Permissions whitelist #2129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
891ee92
permissions whitelist
afinch7 Apr 16, 2019
20d8e10
subpath matching for read/write
afinch7 Apr 21, 2019
43a345e
Merge remote-tracking branch 'upstream/master' into permissions_white…
afinch7 Apr 21, 2019
bf63ae6
moved path checking logic to function and refactored the path matchin…
afinch7 Apr 24, 2019
7a6dc70
unit test and fixed some bugs
afinch7 Apr 30, 2019
a4bf998
added net tests and parsing for urls
afinch7 May 1, 2019
735c0b6
simplified flags and added path resolution before permissions checks.
afinch7 May 2, 2019
9b4ecd3
Merge branch 'master' into permissions_whitelist
afinch7 May 2, 2019
7af6ea4
fmt
afinch7 May 2, 2019
ea7aa17
added port checking for network whitelist.
afinch7 May 4, 2019
dbe0c18
Merge remote-tracking branch 'upstream/master' into permissions_white…
afinch7 May 4, 2019
209a875
fmt
afinch7 May 4, 2019
a9ccef2
fixed clippy errors and warnings
afinch7 May 4, 2019
b133fb4
fixed windows unit test issues.
afinch7 May 7, 2019
734c0f2
consistent path resolution for all ops
afinch7 May 7, 2019
bbc4534
not sure why this didn't error on windows
afinch7 May 7, 2019
9ce9c2f
requested changes and added command line tests
afinch7 May 8, 2019
02dd3be
fixed clippy warnings
afinch7 May 8, 2019
d418097
simplified path resolution code for ops a little more
afinch7 May 8, 2019
49cc718
add method check_net_url
afinch7 May 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
55 changes: 31 additions & 24 deletions cli/deno_dir.rs
View file
Open in desktop
Expand Up @@ -291,36 +291,14 @@ impl DenoDir {
referrer: &str,
) -> Result<Url, url::ParseError> {
let specifier = self.src_file_to_url(specifier);
let mut referrer = self.src_file_to_url(referrer);
let referrer = self.src_file_to_url(referrer);

debug!(
"resolve_module specifier {} referrer {}",
specifier, referrer
);

if referrer.starts_with('.') {
let cwd = std::env::current_dir().unwrap();
let referrer_path = cwd.join(referrer);
referrer = referrer_path.to_str().unwrap().to_string() + "/";
}

let j = if is_remote(&specifier)
|| (Path::new(&specifier).is_absolute() && !is_remote(&referrer))
{
parse_local_or_remote(&specifier)?
} else if referrer.ends_with('/') {
let r = Url::from_directory_path(&referrer);
// TODO(ry) Properly handle error.
if r.is_err() {
error!("Url::from_directory_path error {}", referrer);
}
let base = r.unwrap();
base.join(specifier.as_ref())?
} else {
let base = parse_local_or_remote(&referrer)?;
base.join(specifier.as_ref())?
};
Ok(j)
resolve_file_url(specifier, referrer)
}

/// Returns (module name, local filename)
Expand Down Expand Up @@ -889,6 +867,35 @@ fn save_source_code_headers(
}
}

pub fn resolve_file_url(
specifier: String,
mut referrer: String,
) -> Result<Url, url::ParseError> {
if referrer.starts_with('.') {
let cwd = std::env::current_dir().unwrap();
let referrer_path = cwd.join(referrer);
referrer = referrer_path.to_str().unwrap().to_string() + "/";
}

let j = if is_remote(&specifier)
|| (Path::new(&specifier).is_absolute() && !is_remote(&referrer))
{
parse_local_or_remote(&specifier)?
} else if referrer.ends_with('/') {
let r = Url::from_directory_path(&referrer);
// TODO(ry) Properly handle error.
if r.is_err() {
error!("Url::from_directory_path error {}", referrer);
}
let base = r.unwrap();
base.join(specifier.as_ref())?
} else {
let base = parse_local_or_remote(&referrer)?;
base.join(specifier.as_ref())?
};
Ok(j)
}

#[cfg(test)]
mod tests {
use super::*;
Expand Down
118 changes: 104 additions & 14 deletions cli/flags.rs
View file
Open in desktop
Expand Up @@ -16,8 +16,11 @@ pub struct DenoFlags {
/// the path passed on the command line, otherwise `None`.
pub config_path: Option<String>,
pub allow_read: bool,
pub read_whitelist: Vec<String>,
pub allow_write: bool,
pub write_whitelist: Vec<String>,
pub allow_net: bool,
pub net_whitelist: Vec<String>,
pub allow_env: bool,
pub allow_run: bool,
pub allow_high_precision: bool,
Expand Down Expand Up @@ -186,17 +189,29 @@ ability to spawn subprocesses.
",
).arg(
Arg::with_name("allow-read")
.long("allow-read")
.help("Allow file system read access"),
).arg(
Arg::with_name("allow-write")
.long("allow-write")
.help("Allow file system write access"),
).arg(
Arg::with_name("allow-net")
.long("allow-net")
.help("Allow network access"),
).arg(
.long("allow-read")
.min_values(0)
.takes_value(true)
.use_delimiter(true)
.require_equals(true)
.help("Allow file system read access"),
).arg(
Arg::with_name("allow-write")
.long("allow-write")
.min_values(0)
.takes_value(true)
.use_delimiter(true)
.require_equals(true)
.help("Allow file system write access"),
).arg(
Arg::with_name("allow-net")
.long("allow-net")
.min_values(0)
.takes_value(true)
.use_delimiter(true)
.require_equals(true)
.help("Allow network access"),
).arg(
Arg::with_name("allow-env")
.long("allow-env")
.help("Allow environment access"),
Expand Down Expand Up @@ -290,13 +305,31 @@ pub fn parse_flags(matches: ArgMatches) -> DenoFlags {
// flags specific to "run" subcommand
if let Some(run_matches) = matches.subcommand_matches("run") {
if run_matches.is_present("allow-read") {
flags.allow_read = true;
if run_matches.value_of("allow-read").is_some() {
let read_wl = run_matches.values_of("allow-read").unwrap();
flags.read_whitelist =
read_wl.map(std::string::ToString::to_string).collect();
} else {
flags.allow_read = true;
}
}
if run_matches.is_present("allow-write") {
flags.allow_write = true;
if run_matches.value_of("allow-write").is_some() {
let write_wl = run_matches.values_of("allow-write").unwrap();
flags.write_whitelist =
write_wl.map(std::string::ToString::to_string).collect();
} else {
flags.allow_write = true;
}
}
if run_matches.is_present("allow-net") {
flags.allow_net = true;
if run_matches.value_of("allow-net").is_some() {
let net_wl = run_matches.values_of("allow-net").unwrap();
flags.net_whitelist =
net_wl.map(std::string::ToString::to_string).collect();
} else {
flags.allow_net = true;
}
}
if run_matches.is_present("allow-env") {
flags.allow_env = true;
Expand Down Expand Up @@ -752,4 +785,61 @@ mod tests {
assert_eq!(subcommand, DenoSubcommand::Xeval);
assert_eq!(argv, svec!["deno", "console.log(val)"]);
}
#[test]
fn test_flags_from_vec_19() {
let (flags, subcommand, argv) = flags_from_vec(svec![
"deno",
"run",
"--allow-read=/some/test/dir",
"script.ts"
]);
assert_eq!(
flags,
DenoFlags {
allow_read: false,
read_whitelist: svec!["/some/test/dir"],
..DenoFlags::default()
}
);
assert_eq!(subcommand, DenoSubcommand::Run);
assert_eq!(argv, svec!["deno", "script.ts"]);
}
#[test]
fn test_flags_from_vec_20() {
let (flags, subcommand, argv) = flags_from_vec(svec![
"deno",
"run",
"--allow-write=/some/test/dir",
"script.ts"
]);
assert_eq!(
flags,
DenoFlags {
allow_write: false,
write_whitelist: svec!["/some/test/dir"],
..DenoFlags::default()
}
);
assert_eq!(subcommand, DenoSubcommand::Run);
assert_eq!(argv, svec!["deno", "script.ts"]);
}
#[test]
fn test_flags_from_vec_21() {
let (flags, subcommand, argv) = flags_from_vec(svec![
"deno",
"run",
"--allow-net=127.0.0.1",
"script.ts"
]);
assert_eq!(
flags,
DenoFlags {
allow_net: false,
net_whitelist: svec!["127.0.0.1"],
..DenoFlags::default()
}
);
assert_eq!(subcommand, DenoSubcommand::Run);
assert_eq!(argv, svec!["deno", "script.ts"]);
}
}