Enforce permissions on kill(), homeDir() and execPath (denoland#2723)

ztplz · Aug 6, 2019 · 11c850a · 11c850a
1 parent 046cccf
commit 11c850a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/cli/ops.rs b/cli/ops.rs
@@ -1053,10 +1053,12 @@ fn op_close(
 }
 
 fn op_kill(
-  _state: &ThreadSafeState,
+  state: &ThreadSafeState,
   base: &msg::Base<'_>,
   data: Option<PinnedBuf>,
 ) -> CliOpResult {
+  state.check_run()?;
+
   assert!(data.is_none());
   let inner = base.inner_as_kill().unwrap();
   let pid = inner.pid();

diff --git a/js/os.ts b/js/os.ts
@@ -13,7 +13,9 @@ export let pid: number;
 /** Reflects the NO_COLOR environment variable: https://no-color.org/ */
 export let noColor: boolean;
 
-/** Path to the current deno process's executable file. */
+/** Path to the current deno process's executable file.
+ * Requires the `--allow-env` flag, otherwise it'll be set to an empty `string`.
+ */
 export let execPath: string;
 
 function setGlobals(pid_: number, noColor_: boolean, execPath_: string): void {
@@ -145,7 +147,7 @@ export function start(
 
 /**
  * Returns the current user's home directory.
- * Does not require elevated privileges.
+ * Requires the `--allow-env` flag.
  */
 export function homeDir(): string {
   const builder = flatbuffers.createBuilder();

diff --git a/js/process.ts b/js/process.ts
@@ -55,6 +55,7 @@ async function runStatus(rid: number): Promise<ProcessStatus> {
 /** Send a signal to process under given PID. Unix only at this moment.
  * If pid is negative, the signal will be sent to the process group identified
  * by -pid.
+ * Requires the `--allow-run` flag.
  */
 export function kill(pid: number, signo: number): void {
   const builder = flatbuffers.createBuilder();

diff --git a/js/process_test.ts b/js/process_test.ts
@@ -321,6 +321,22 @@ test(function signalNumbers(): void {
 
 // Ignore signal tests on windows for now...
 if (Deno.platform.os !== "win") {
+  test(function killPermissions(): void {
+    let caughtError = false;
+    try {
+      // Unlike the other test cases, we don't have permission to spawn a
+      // subprocess we can safely kill. Instead we send SIGCONT to the current
+      // process - assuming that Deno does not have a special handler set for it
+      // and will just continue even if a signal is erroneously sent.
+      Deno.kill(Deno.pid, Deno.Signal.SIGCONT);
+    } catch (e) {
+      caughtError = true;
+      assertEquals(e.kind, Deno.ErrorKind.PermissionDenied);
+      assertEquals(e.name, "PermissionDenied");
+    }
+    assert(caughtError);
+  });
+
   testPerm({ run: true }, async function killSuccess(): Promise<void> {
     const p = run({
       args: ["python", "-c", "from time import sleep; sleep(10000)"]