1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-01-15 02:20:15 -05:00

Add write permissions requirement to op_fetch_module_meta_data. (#1874)

This commit is contained in:
andy finch 2019-03-03 16:52:41 -05:00 committed by Ryan Dahl
parent 1a695dd58b
commit 2af04e674d
2 changed files with 48 additions and 2 deletions

View file

@ -52,7 +52,7 @@ fn lazy_start(parent_state: &Arc<IsolateState>) -> Resource {
let mut cell = C_RID.lock().unwrap(); let mut cell = C_RID.lock().unwrap();
let permissions = DenoPermissions { let permissions = DenoPermissions {
allow_read: AtomicBool::new(true), allow_read: AtomicBool::new(true),
allow_write: AtomicBool::new(false), allow_write: AtomicBool::new(true),
allow_env: AtomicBool::new(false), allow_env: AtomicBool::new(false),
allow_net: AtomicBool::new(true), allow_net: AtomicBool::new(true),
allow_run: AtomicBool::new(false), allow_run: AtomicBool::new(false),

View file

@ -374,11 +374,19 @@ fn op_fetch_module_meta_data(
let specifier = inner.specifier().unwrap(); let specifier = inner.specifier().unwrap();
let referrer = inner.referrer().unwrap(); let referrer = inner.referrer().unwrap();
// Check for allow read since this operation could be used to read from the file system.
if !isolate.permissions.allow_read.load(Ordering::SeqCst) { if !isolate.permissions.allow_read.load(Ordering::SeqCst) {
debug!("No read permission for fetch_module_meta_data"); debug!("No read permission for fetch_module_meta_data");
return odd_future(permission_denied()); return odd_future(permission_denied());
} }
// Check for allow write since this operation could be used to write to the file system.
if !isolate.permissions.allow_write.load(Ordering::SeqCst) {
debug!("No network permission for fetch_module_meta_data");
return odd_future(permission_denied());
}
// Check for allow net since this operation could be used to make https/http requests.
if !isolate.permissions.allow_net.load(Ordering::SeqCst) { if !isolate.permissions.allow_net.load(Ordering::SeqCst) {
debug!("No network permission for fetch_module_meta_data"); debug!("No network permission for fetch_module_meta_data");
return odd_future(permission_denied()); return odd_future(permission_denied());
@ -1843,6 +1851,44 @@ mod tests {
} }
} }
#[test]
fn fetch_module_meta_fails_without_write() {
let state = IsolateState::mock();
let snapshot = libdeno::deno_buf::empty();
let permissions = DenoPermissions {
allow_read: AtomicBool::new(true),
allow_write: AtomicBool::new(false),
allow_env: AtomicBool::new(true),
allow_net: AtomicBool::new(true),
allow_run: AtomicBool::new(true),
};
let isolate = Isolate::new(snapshot, state, dispatch, permissions);
let builder = &mut FlatBufferBuilder::new();
let fetch_msg_args = msg::FetchModuleMetaDataArgs {
specifier: Some(builder.create_string("./somefile")),
referrer: Some(builder.create_string(".")),
};
let inner = msg::FetchModuleMetaData::create(builder, &fetch_msg_args);
let base_args = msg::BaseArgs {
inner: Some(inner.as_union_value()),
inner_type: msg::Any::FetchModuleMetaData,
..Default::default()
};
let base = msg::Base::create(builder, &base_args);
msg::finish_base_buffer(builder, base);
let data = builder.finished_data();
let final_msg = msg::get_root_as_base(&data);
let fetch_result = op_fetch_module_meta_data(
&isolate,
&final_msg,
libdeno::deno_buf::empty(),
).wait();
match fetch_result {
Ok(_) => assert!(true),
Err(e) => assert_eq!(e.to_string(), permission_denied().to_string()),
}
}
#[test] #[test]
fn fetch_module_meta_fails_without_net() { fn fetch_module_meta_fails_without_net() {
let state = IsolateState::mock(); let state = IsolateState::mock();
@ -1887,7 +1933,7 @@ mod tests {
let snapshot = libdeno::deno_buf::empty(); let snapshot = libdeno::deno_buf::empty();
let permissions = DenoPermissions { let permissions = DenoPermissions {
allow_read: AtomicBool::new(true), allow_read: AtomicBool::new(true),
allow_write: AtomicBool::new(false), allow_write: AtomicBool::new(true),
allow_env: AtomicBool::new(false), allow_env: AtomicBool::new(false),
allow_net: AtomicBool::new(true), allow_net: AtomicBool::new(true),
allow_run: AtomicBool::new(false), allow_run: AtomicBool::new(false),