feat: add --allow-import flag (#25469)

This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret <dsherret@gmail.com>
2025-08-04 10:59:13 +00:00 · 2024-09-26 02:50:54 +01:00 · 2024-09-26 02:50:54 +01:00 · 5504acea67
commit 5504acea67
parent 05415bb9de
507 changed files with 1116 additions and 483 deletions
--- a/cli/module_loader.rs
+++ b/cli/module_loader.rs
@ -104,7 +104,7 @@ impl ModuleLoadPreparer {
    roots: &[ModuleSpecifier],
    is_dynamic: bool,
    lib: TsTypeLib,
-    permissions: crate::file_fetcher::FetchPermissionsOption,
+    permissions: PermissionsContainer,
    ext_overwrite: Option<&String>,
  ) -> Result<(), AnyError> {
    log::debug!("Preparing module load.");
@ -252,13 +252,15 @@ impl CliModuleLoaderFactory {
    &self,
    graph_container: TGraphContainer,
    lib: TsTypeLib,
-    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
+    is_worker: bool,
+    parent_permissions: PermissionsContainer,
+    permissions: PermissionsContainer,
  ) -> ModuleLoaderAndSourceMapGetter {
    let loader = Rc::new(CliModuleLoader(Rc::new(CliModuleLoaderInner {
      lib,
-      root_permissions,
-      dynamic_permissions,
+      is_worker,
+      parent_permissions,
+      permissions,
      graph_container,
      emitter: self.shared.emitter.clone(),
      parsed_source_cache: self.shared.parsed_source_cache.clone(),
@ -274,20 +276,20 @@ impl ModuleLoaderFactory for CliModuleLoaderFactory {
  fn create_for_main(
    &self,
    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
  ) -> ModuleLoaderAndSourceMapGetter {
    self.create_with_lib(
      (*self.shared.main_module_graph_container).clone(),
      self.shared.lib_window,
+      /* is worker */ false,
+      root_permissions.clone(),
      root_permissions,
-      dynamic_permissions,
    )
  }

  fn create_for_worker(
    &self,
-    root_permissions: PermissionsContainer,
-    dynamic_permissions: PermissionsContainer,
+    parent_permissions: PermissionsContainer,
+    permissions: PermissionsContainer,
  ) -> ModuleLoaderAndSourceMapGetter {
    self.create_with_lib(
      // create a fresh module graph for the worker
@ -295,21 +297,21 @@ impl ModuleLoaderFactory for CliModuleLoaderFactory {
        self.shared.graph_kind,
      ))),
      self.shared.lib_worker,
-      root_permissions,
-      dynamic_permissions,
+      /* is worker */ true,
+      parent_permissions,
+      permissions,
    )
  }
 }

 struct CliModuleLoaderInner<TGraphContainer: ModuleGraphContainer> {
  lib: TsTypeLib,
+  is_worker: bool,
  /// The initial set of permissions used to resolve the static imports in the
  /// worker. These are "allow all" for main worker, and parent thread
  /// permissions for Web Worker.
-  root_permissions: PermissionsContainer,
-  /// Permissions used to resolve dynamic imports, these get passed as
-  /// "root permissions" for Web Worker.
-  dynamic_permissions: PermissionsContainer,
+  parent_permissions: PermissionsContainer,
+  permissions: PermissionsContainer,
  shared: Arc<SharedCliModuleLoaderState>,
  emitter: Arc<Emitter>,
  parsed_source_cache: Arc<ParsedSourceCache>,
@ -769,11 +771,12 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
        }
      }

-      let root_permissions = if is_dynamic {
-        inner.dynamic_permissions.clone()
+      let permissions = if is_dynamic {
+        inner.permissions.clone()
      } else {
-        inner.root_permissions.clone()
+        inner.parent_permissions.clone()
      };
+      let is_dynamic = is_dynamic || inner.is_worker; // consider workers as dynamic for permissions
      let lib = inner.lib;
      let mut update_permit = graph_container.acquire_update_permit().await;
      let graph = update_permit.graph_mut();
@ -783,7 +786,7 @@ impl<TGraphContainer: ModuleGraphContainer> ModuleLoader
          &[specifier],
          is_dynamic,
          lib,
-          root_permissions.into(),
+          permissions,
          None,
        )
        .await?;