language-servers/deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-08-03 18:38:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

feat(permissions): add "--deny-*" flags (#19070)

Browse source 
This commit adds new "--deny-*" permission flags. These are complimentary to
"--allow-*" flags.

These flags can be used to restrict access to certain resources, even if they
were granted using "--allow-*" flags or the "--allow-all" ("-A") flag.

Eg. specifying "--allow-read --deny-read" will result in a permission error,
while "--allow-read --deny-read=/etc" will allow read access to all FS but the
"/etc" directory.

Runtime permissions APIs ("Deno.permissions") were adjusted as well, mainly
by adding, a new "PermissionStatus.partial" field. This field denotes that
while permission might be granted to requested resource, it's only partial (ie.
a "--deny-*" flag was specified that excludes some of the requested resources).
Eg. specifying "--allow-read=foo/ --deny-read=foo/bar" and then querying for
permissions like "Deno.permissions.query({ name: "read", path: "foo/" })"
will return "PermissionStatus { state: "granted", onchange: null, partial: true }",
denoting that some of the subpaths don't have read access.

Closes #18804.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Co-authored-by: Nayeem Rahman <nayeemrmn99@gmail.com>
This commit is contained in:
Asher Gomez 2023-08-03 21:19:19 +10:00 committed by GitHub
parent db287e216d
commit 6fb7e8d93b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 1805 additions and 1456 deletions
Download patch file Download diff file Expand all files Collapse all files

10
cli/args/mod.rs
View file

@ -2,7 +2,7 @@
mod config_file;
mod flags;
mod flags_allow_net;
mod flags_net;
mod import_map;
mod lockfile;
pub mod package_json;
@ -1105,13 +1105,21 @@ impl CliOptions {
pub fn permissions_options(&self) -> PermissionsOptions {
PermissionsOptions {
allow_env: self.flags.allow_env.clone(),
deny_env: self.flags.deny_env.clone(),
allow_hrtime: self.flags.allow_hrtime,
deny_hrtime: self.flags.deny_hrtime,
allow_net: self.flags.allow_net.clone(),
deny_net: self.flags.deny_net.clone(),
allow_ffi: self.flags.allow_ffi.clone(),
deny_ffi: self.flags.deny_ffi.clone(),
allow_read: self.flags.allow_read.clone(),
deny_read: self.flags.deny_read.clone(),
allow_run: self.flags.allow_run.clone(),
deny_run: self.flags.deny_run.clone(),
allow_sys: self.flags.allow_sys.clone(),
deny_sys: self.flags.deny_sys.clone(),
allow_write: self.flags.allow_write.clone(),
deny_write: self.flags.deny_write.clone(),
prompt: !self.no_prompt(),
}
}