language-servers/deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-09-26 20:29:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix(cli/permissions): ensure revoked permissions are no longer granted (#12159)

Browse source 
Fixes #12153
This commit is contained in:
Nayeem Rahman 2021-09-24 06:48:15 +01:00 committed by GitHub
parent 80a9a37df1
commit faefe2300d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 70 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

108
runtime/permissions.rs
View file

@ -249,19 +249,16 @@ impl UnaryPermission<ReadDescriptor> {
"read access to \"{}\"", "read access to \"{}\"",
display_path.display() display_path.display()
)) { )) {
self
.granted_list
.retain(|path| !path.0.starts_with(&resolved_path));
self.granted_list.insert(ReadDescriptor(resolved_path)); self.granted_list.insert(ReadDescriptor(resolved_path));
PermissionState::Granted PermissionState::Granted
} else { } else {
self
.denied_list
.retain(|path| !resolved_path.starts_with(&path.0));
self.denied_list.insert(ReadDescriptor(resolved_path)); self.denied_list.insert(ReadDescriptor(resolved_path));
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(ReadDescriptor(resolved_path));
PermissionState::Granted
} else { } else {
state state
} }
@ -287,13 +284,13 @@ impl UnaryPermission<ReadDescriptor> {
let path = resolve_from_cwd(path).unwrap(); let path = resolve_from_cwd(path).unwrap();
self self
.granted_list .granted_list
.retain(|path_| !path_.0.starts_with(&path)); .retain(|path_| !path.starts_with(&path_.0));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(path) self.query(path)
} }
@ -377,19 +374,16 @@ impl UnaryPermission<WriteDescriptor> {
"write access to \"{}\"", "write access to \"{}\"",
display_path.display() display_path.display()
)) { )) {
self
.granted_list
.retain(|path| !path.0.starts_with(&resolved_path));
self.granted_list.insert(WriteDescriptor(resolved_path)); self.granted_list.insert(WriteDescriptor(resolved_path));
PermissionState::Granted PermissionState::Granted
} else { } else {
self
.denied_list
.retain(|path| !resolved_path.starts_with(&path.0));
self.denied_list.insert(WriteDescriptor(resolved_path)); self.denied_list.insert(WriteDescriptor(resolved_path));
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(WriteDescriptor(resolved_path));
PermissionState::Granted
} else { } else {
state state
} }
@ -415,13 +409,13 @@ impl UnaryPermission<WriteDescriptor> {
let path = resolve_from_cwd(path).unwrap(); let path = resolve_from_cwd(path).unwrap();
self self
.granted_list .granted_list
.retain(|path_| !path_.0.starts_with(&path)); .retain(|path_| !path.starts_with(&path_.0));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(path) self.query(path)
} }
@ -486,22 +480,19 @@ impl UnaryPermission<NetDescriptor> {
) -> PermissionState { ) -> PermissionState {
if let Some(host) = host { if let Some(host) = host {
let state = self.query(Some(host)); let state = self.query(Some(host));
if state == PermissionState::Prompt {
let host = NetDescriptor::new(&host); let host = NetDescriptor::new(&host);
if state == PermissionState::Prompt {
if permission_prompt(&format!("network access to \"{}\"", host)) { if permission_prompt(&format!("network access to \"{}\"", host)) {
if host.1.is_none() {
self.granted_list.retain(|h| h.0 != host.0);
}
self.granted_list.insert(host); self.granted_list.insert(host);
PermissionState::Granted PermissionState::Granted
} else { } else {
if host.1.is_some() {
self.denied_list.remove(&host);
}
self.denied_list.insert(host); self.denied_list.insert(host);
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(host);
PermissionState::Granted
} else { } else {
state state
} }
@ -527,16 +518,20 @@ impl UnaryPermission<NetDescriptor> {
host: Option<&(T, Option<u16>)>, host: Option<&(T, Option<u16>)>,
) -> PermissionState { ) -> PermissionState {
if let Some(host) = host { if let Some(host) = host {
self.granted_list.remove(&NetDescriptor::new(&host)); if host.1.is_some() {
if host.1.is_none() { self
self.granted_list.retain(|h| h.0 != host.0.as_ref()); .granted_list
.remove(&NetDescriptor(host.0.as_ref().to_string(), host.1));
} }
self
.granted_list
.remove(&NetDescriptor(host.0.as_ref().to_string(), None));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(host) self.query(host)
} }
@ -623,15 +618,16 @@ impl UnaryPermission<EnvDescriptor> {
let state = self.query(Some(&env)); let state = self.query(Some(&env));
if state == PermissionState::Prompt { if state == PermissionState::Prompt {
if permission_prompt(&format!("env access to \"{}\"", env)) { if permission_prompt(&format!("env access to \"{}\"", env)) {
self.granted_list.retain(|env_| env_.0 != env);
self.granted_list.insert(EnvDescriptor(env)); self.granted_list.insert(EnvDescriptor(env));
PermissionState::Granted PermissionState::Granted
} else { } else {
self.denied_list.retain(|env_| env_.0 != env);
self.denied_list.insert(EnvDescriptor(env)); self.denied_list.insert(EnvDescriptor(env));
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(EnvDescriptor(env));
PermissionState::Granted
} else { } else {
state state
} }
@ -656,13 +652,13 @@ impl UnaryPermission<EnvDescriptor> {
if let Some(env) = env { if let Some(env) = env {
#[cfg(windows)] #[cfg(windows)]
let env = env.to_uppercase(); let env = env.to_uppercase();
self.granted_list.retain(|env_| env_.0 != env); self.granted_list.remove(&EnvDescriptor(env.to_string()));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(env) self.query(env)
} }
@ -725,15 +721,16 @@ impl UnaryPermission<RunDescriptor> {
let state = self.query(Some(cmd)); let state = self.query(Some(cmd));
if state == PermissionState::Prompt { if state == PermissionState::Prompt {
if permission_prompt(&format!("run access to \"{}\"", cmd)) { if permission_prompt(&format!("run access to \"{}\"", cmd)) {
self.granted_list.retain(|cmd_| cmd_.0 != cmd);
self.granted_list.insert(RunDescriptor(cmd.to_string())); self.granted_list.insert(RunDescriptor(cmd.to_string()));
PermissionState::Granted PermissionState::Granted
} else { } else {
self.denied_list.retain(|cmd_| cmd_.0 != cmd);
self.denied_list.insert(RunDescriptor(cmd.to_string())); self.denied_list.insert(RunDescriptor(cmd.to_string()));
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(RunDescriptor(cmd.to_string()));
PermissionState::Granted
} else { } else {
state state
} }
@ -756,13 +753,13 @@ impl UnaryPermission<RunDescriptor> {
pub fn revoke(&mut self, cmd: Option<&str>) -> PermissionState { pub fn revoke(&mut self, cmd: Option<&str>) -> PermissionState {
if let Some(cmd) = cmd { if let Some(cmd) = cmd {
self.granted_list.retain(|cmd_| cmd_.0 != cmd); self.granted_list.remove(&RunDescriptor(cmd.to_string()));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(cmd) self.query(cmd)
} }
@ -823,15 +820,16 @@ impl UnaryPermission<FfiDescriptor> {
let state = self.query(Some(lib)); let state = self.query(Some(lib));
if state == PermissionState::Prompt { if state == PermissionState::Prompt {
if permission_prompt(&format!("ffi access to \"{}\"", lib)) { if permission_prompt(&format!("ffi access to \"{}\"", lib)) {
self.granted_list.retain(|lib_| lib_.0 != lib);
self.granted_list.insert(FfiDescriptor(lib.to_string())); self.granted_list.insert(FfiDescriptor(lib.to_string()));
PermissionState::Granted PermissionState::Granted
} else { } else {
self.denied_list.retain(|lib_| lib_.0 != lib);
self.denied_list.insert(FfiDescriptor(lib.to_string())); self.denied_list.insert(FfiDescriptor(lib.to_string()));
self.global_state = PermissionState::Denied; self.global_state = PermissionState::Denied;
PermissionState::Denied PermissionState::Denied
} }
} else if state == PermissionState::Granted {
self.granted_list.insert(FfiDescriptor(lib.to_string()));
PermissionState::Granted
} else { } else {
state state
} }
@ -854,13 +852,13 @@ impl UnaryPermission<FfiDescriptor> {
pub fn revoke(&mut self, lib: Option<&str>) -> PermissionState { pub fn revoke(&mut self, lib: Option<&str>) -> PermissionState {
if let Some(lib) = lib { if let Some(lib) = lib {
self.granted_list.retain(|lib_| lib_.0 != lib); self.granted_list.remove(&FfiDescriptor(lib.to_string()));
} else { } else {
self.granted_list.clear(); self.granted_list.clear();
}
if self.global_state == PermissionState::Granted { if self.global_state == PermissionState::Granted {
self.global_state = PermissionState::Prompt; self.global_state = PermissionState::Prompt;
} }
}
self.query(lib) self.query(lib)
} }
@ -1778,15 +1776,24 @@ mod tests {
let mut perms = Permissions { let mut perms = Permissions {
read: UnaryPermission { read: UnaryPermission {
global_state: PermissionState::Prompt, global_state: PermissionState::Prompt,
..Permissions::new_read(&Some(vec![PathBuf::from("/foo")]), false) ..Permissions::new_read(
&Some(vec![PathBuf::from("/foo"), PathBuf::from("/foo/baz")]),
false,
)
}, },
write: UnaryPermission { write: UnaryPermission {
global_state: PermissionState::Prompt, global_state: PermissionState::Prompt,
..Permissions::new_write(&Some(vec![PathBuf::from("/foo")]), false) ..Permissions::new_write(
&Some(vec![PathBuf::from("/foo"), PathBuf::from("/foo/baz")]),
false,
)
}, },
net: UnaryPermission { net: UnaryPermission {
global_state: PermissionState::Prompt, global_state: PermissionState::Prompt,
..Permissions::new_net(&Some(svec!["127.0.0.1"]), false) ..Permissions::new_net(
&Some(svec!["127.0.0.1", "127.0.0.1:8000"]),
false,
)
}, },
env: UnaryPermission { env: UnaryPermission {
global_state: PermissionState::Prompt, global_state: PermissionState::Prompt,
@ -1807,14 +1814,15 @@ mod tests {
}; };
#[rustfmt::skip] #[rustfmt::skip]
{ {
assert_eq!(perms.read.revoke(Some(Path::new("/foo/bar"))), PermissionState::Granted); assert_eq!(perms.read.revoke(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
assert_eq!(perms.read.revoke(Some(Path::new("/foo"))), PermissionState::Prompt); assert_eq!(perms.read.query(Some(Path::new("/foo"))), PermissionState::Prompt);
assert_eq!(perms.read.query(Some(Path::new("/foo/bar"))), PermissionState::Prompt); assert_eq!(perms.read.query(Some(Path::new("/foo/baz"))), PermissionState::Granted);
assert_eq!(perms.write.revoke(Some(Path::new("/foo/bar"))), PermissionState::Granted); assert_eq!(perms.write.revoke(Some(Path::new("/foo/bar"))), PermissionState::Prompt);
assert_eq!(perms.write.revoke(None), PermissionState::Prompt); assert_eq!(perms.write.query(Some(Path::new("/foo"))), PermissionState::Prompt);
assert_eq!(perms.write.query(Some(Path::new("/foo/bar"))), PermissionState::Prompt); assert_eq!(perms.write.query(Some(Path::new("/foo/baz"))), PermissionState::Granted);
assert_eq!(perms.net.revoke(Some(&("127.0.0.1", Some(8000)))), PermissionState::Granted); assert_eq!(perms.net.revoke(Some(&("127.0.0.1", Some(9000)))), PermissionState::Prompt);
assert_eq!(perms.net.revoke(Some(&("127.0.0.1", None))), PermissionState::Prompt); assert_eq!(perms.net.query(Some(&("127.0.0.1", None))), PermissionState::Prompt);
assert_eq!(perms.net.query(Some(&("127.0.0.1", Some(8000)))), PermissionState::Granted);
assert_eq!(perms.env.revoke(Some(&"HOME".to_string())), PermissionState::Prompt); assert_eq!(perms.env.revoke(Some(&"HOME".to_string())), PermissionState::Prompt);
assert_eq!(perms.run.revoke(Some(&"deno".to_string())), PermissionState::Prompt); assert_eq!(perms.run.revoke(Some(&"deno".to_string())), PermissionState::Prompt);
assert_eq!(perms.ffi.revoke(Some(&"deno".to_string())), PermissionState::Prompt); assert_eq!(perms.ffi.revoke(Some(&"deno".to_string())), PermissionState::Prompt);