From 119910f3395cf073b7acf6a31c207daf597917f1 Mon Sep 17 00:00:00 2001 From: David Sherret Date: Tue, 12 Nov 2024 17:14:19 -0500 Subject: [PATCH] fix(permissions): say to use --allow-run instead of --allow-all (#26842) For https://github.com/denoland/deno/issues/26839 --- runtime/ops/process.rs | 19 +++++++++++-------- tests/specs/run/ld_preload/env_arg.out | 4 ++-- tests/specs/run/ld_preload/env_arg.ts | 4 ++-- .../run/ld_preload/set_with_allow_env.out | 4 ++-- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs index de3141f1f9..ee2f660dcc 100644 --- a/runtime/ops/process.rs +++ b/runtime/ops/process.rs @@ -756,14 +756,17 @@ fn check_run_permission( if !env_var_names.is_empty() { // we don't allow users to launch subprocesses with any LD_ or DYLD_* // env vars set because this allows executing code (ex. LD_PRELOAD) - return Err(CheckRunPermissionError::Other(deno_core::error::custom_error( - "NotCapable", - format!( - "Requires --allow-all permissions to spawn subprocess with {} environment variable{}.", - env_var_names.join(", "), - if env_var_names.len() != 1 { "s" } else { "" } - ) - ))); + return Err(CheckRunPermissionError::Other( + deno_core::error::custom_error( + "NotCapable", + format!( + "Requires --allow-run permissions to spawn subprocess with {0} environment variable{1}. Alternatively, spawn with {2} environment variable{1} unset.", + env_var_names.join(", "), + if env_var_names.len() != 1 { "s" } else { "" }, + if env_var_names.len() != 1 { "these" } else { "the" } + ), + ), + )); } permissions.check_run(cmd, api_name)?; } diff --git a/tests/specs/run/ld_preload/env_arg.out b/tests/specs/run/ld_preload/env_arg.out index 945737e65b..d87a1115c6 100644 --- a/tests/specs/run/ld_preload/env_arg.out +++ b/tests/specs/run/ld_preload/env_arg.out @@ -1,8 +1,8 @@ -NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. +NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset. [WILDCARD] name: "NotCapable" } -NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. +NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset. [WILDCARD] name: "NotCapable" } diff --git a/tests/specs/run/ld_preload/env_arg.ts b/tests/specs/run/ld_preload/env_arg.ts index d7ca1073df..fe043d56dc 100644 --- a/tests/specs/run/ld_preload/env_arg.ts +++ b/tests/specs/run/ld_preload/env_arg.ts @@ -1,5 +1,5 @@ try { - new Deno.Command("echo", { + new Deno.Command("curl", { env: { "LD_PRELOAD": "./libpreload.so", }, @@ -10,7 +10,7 @@ try { try { Deno.run({ - cmd: ["echo"], + cmd: ["curl"], env: { "LD_PRELOAD": "./libpreload.so", }, diff --git a/tests/specs/run/ld_preload/set_with_allow_env.out b/tests/specs/run/ld_preload/set_with_allow_env.out index f89582d6c8..570515fc00 100644 --- a/tests/specs/run/ld_preload/set_with_allow_env.out +++ b/tests/specs/run/ld_preload/set_with_allow_env.out @@ -1,8 +1,8 @@ -NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable. +NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset. [WILDCARD] name: "NotCapable" } -NotCapable: Requires --allow-all permissions to spawn subprocess with DYLD_FALLBACK_LIBRARY_PATH, LD_PRELOAD environment variables. +NotCapable: Requires --allow-run permissions to spawn subprocess with DYLD_FALLBACK_LIBRARY_PATH, LD_PRELOAD environment variables. Alternatively, spawn with these environment variables unset. [WILDCARD] name: "NotCapable" }