1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-28 16:20:57 -05:00

fix(compile): relative permissions should be retained as relative (#23719)

Closes #23715
This commit is contained in:
David Sherret 2024-05-06 19:21:58 -04:00 committed by GitHub
parent f698bc70e2
commit 2dcbef2abb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 624 additions and 364 deletions

File diff suppressed because it is too large Load diff

View file

@ -1524,10 +1524,6 @@ impl CliOptions {
&self.flags.cache_path &self.flags.cache_path
} }
pub fn no_prompt(&self) -> bool {
resolve_no_prompt(&self.flags)
}
pub fn no_remote(&self) -> bool { pub fn no_remote(&self) -> bool {
self.flags.no_remote self.flags.no_remote
} }
@ -1540,45 +1536,12 @@ impl CliOptions {
self.flags.config_flag == deno_config::ConfigFlag::Disabled self.flags.config_flag == deno_config::ConfigFlag::Disabled
} }
pub fn permissions_options(&self) -> PermissionsOptions { pub fn permission_flags(&self) -> &PermissionFlags {
PermissionsOptions { &self.flags.permissions
allow_all: self.flags.allow_all,
allow_env: self.flags.allow_env.clone(),
deny_env: self.flags.deny_env.clone(),
allow_hrtime: self.flags.allow_hrtime,
deny_hrtime: self.flags.deny_hrtime,
allow_net: self.flags.allow_net.clone(),
deny_net: self.flags.deny_net.clone(),
allow_ffi: convert_option_str_to_path_buf(
&self.flags.allow_ffi,
self.initial_cwd(),
),
deny_ffi: convert_option_str_to_path_buf(
&self.flags.deny_ffi,
self.initial_cwd(),
),
allow_read: convert_option_str_to_path_buf(
&self.flags.allow_read,
self.initial_cwd(),
),
deny_read: convert_option_str_to_path_buf(
&self.flags.deny_read,
self.initial_cwd(),
),
allow_run: self.flags.allow_run.clone(),
deny_run: self.flags.deny_run.clone(),
allow_sys: self.flags.allow_sys.clone(),
deny_sys: self.flags.deny_sys.clone(),
allow_write: convert_option_str_to_path_buf(
&self.flags.allow_write,
self.initial_cwd(),
),
deny_write: convert_option_str_to_path_buf(
&self.flags.deny_write,
self.initial_cwd(),
),
prompt: !self.no_prompt(),
} }
pub fn permissions_options(&self) -> Result<PermissionsOptions, AnyError> {
self.flags.permissions.to_options(Some(&self.initial_cwd))
} }
pub fn reload_flag(&self) -> bool { pub fn reload_flag(&self) -> bool {
@ -1871,7 +1834,7 @@ fn resolve_files(
} }
/// Resolves the no_prompt value based on the cli flags and environment. /// Resolves the no_prompt value based on the cli flags and environment.
pub fn resolve_no_prompt(flags: &Flags) -> bool { pub fn resolve_no_prompt(flags: &PermissionFlags) -> bool {
flags.no_prompt || has_flag_env_var("DENO_NO_PROMPT") flags.no_prompt || has_flag_env_var("DENO_NO_PROMPT")
} }
@ -1887,20 +1850,6 @@ pub fn npm_pkg_req_ref_to_binary_command(
binary_name.to_string() binary_name.to_string()
} }
fn convert_option_str_to_path_buf(
flag: &Option<Vec<String>>,
initial_cwd: &Path,
) -> Option<Vec<PathBuf>> {
if let Some(allow_ffi_paths) = &flag {
let mut full_paths = Vec::new();
full_paths
.extend(allow_ffi_paths.iter().map(|path| initial_cwd.join(path)));
Some(full_paths)
} else {
None
}
}
#[cfg(test)] #[cfg(test)]
mod test { mod test {
use crate::util::fs::FileCollector; use crate::util::fs::FileCollector;

View file

@ -218,7 +218,7 @@ impl TestRun {
// `PermissionsContainer` - otherwise granting/revoking permissions in one // `PermissionsContainer` - otherwise granting/revoking permissions in one
// file would have impact on other files, which is undesirable. // file would have impact on other files, which is undesirable.
let permissions = let permissions =
Permissions::from_options(&factory.cli_options().permissions_options())?; Permissions::from_options(&factory.cli_options().permissions_options()?)?;
test::check_specifiers( test::check_specifiers(
factory.cli_options(), factory.cli_options(),
factory.file_fetcher()?, factory.file_fetcher()?,

View file

@ -24,7 +24,6 @@ use deno_core::futures::AsyncSeekExt;
use deno_core::serde_json; use deno_core::serde_json;
use deno_core::url::Url; use deno_core::url::Url;
use deno_npm::NpmSystemInfo; use deno_npm::NpmSystemInfo;
use deno_runtime::permissions::PermissionsOptions;
use deno_semver::package::PackageReq; use deno_semver::package::PackageReq;
use deno_semver::VersionReqSpecifierParseError; use deno_semver::VersionReqSpecifierParseError;
use log::Level; use log::Level;
@ -37,6 +36,7 @@ use crate::args::CaData;
use crate::args::CliOptions; use crate::args::CliOptions;
use crate::args::CompileFlags; use crate::args::CompileFlags;
use crate::args::PackageJsonDepsProvider; use crate::args::PackageJsonDepsProvider;
use crate::args::PermissionFlags;
use crate::args::UnstableConfig; use crate::args::UnstableConfig;
use crate::cache::DenoDir; use crate::cache::DenoDir;
use crate::file_fetcher::FileFetcher; use crate::file_fetcher::FileFetcher;
@ -134,7 +134,7 @@ pub enum NodeModules {
pub struct Metadata { pub struct Metadata {
pub argv: Vec<String>, pub argv: Vec<String>,
pub seed: Option<u64>, pub seed: Option<u64>,
pub permissions: PermissionsOptions, pub permissions: PermissionFlags,
pub location: Option<Url>, pub location: Option<Url>,
pub v8_flags: Vec<String>, pub v8_flags: Vec<String>,
pub log_level: Option<Level>, pub log_level: Option<Level>,
@ -621,7 +621,7 @@ impl<'a> DenoCompileBinaryWriter<'a> {
argv: compile_flags.args.clone(), argv: compile_flags.args.clone(),
seed: cli_options.seed(), seed: cli_options.seed(),
location: cli_options.location_flag().clone(), location: cli_options.location_flag().clone(),
permissions: cli_options.permissions_options(), permissions: cli_options.permission_flags().clone(),
v8_flags: cli_options.v8_flags().clone(), v8_flags: cli_options.v8_flags().clone(),
unsafely_ignore_certificate_errors: cli_options unsafely_ignore_certificate_errors: cli_options
.unsafely_ignore_certificate_errors() .unsafely_ignore_certificate_errors()

View file

@ -499,7 +499,9 @@ pub async fn run(
}; };
let permissions = { let permissions = {
let mut permissions = metadata.permissions; let maybe_cwd = std::env::current_dir().ok();
let mut permissions =
metadata.permissions.to_options(maybe_cwd.as_deref())?;
// if running with an npm vfs, grant read access to it // if running with an npm vfs, grant read access to it
if let Some(vfs_root) = maybe_vfs_root { if let Some(vfs_root) = maybe_vfs_root {
match &mut permissions.allow_read { match &mut permissions.allow_read {

View file

@ -433,7 +433,7 @@ pub async fn run_benchmarks(
// `PermissionsContainer` - otherwise granting/revoking permissions in one // `PermissionsContainer` - otherwise granting/revoking permissions in one
// file would have impact on other files, which is undesirable. // file would have impact on other files, which is undesirable.
let permissions = let permissions =
Permissions::from_options(&cli_options.permissions_options())?; Permissions::from_options(&cli_options.permissions_options()?)?;
let specifiers = collect_specifiers( let specifiers = collect_specifiers(
bench_options.files, bench_options.files,
@ -519,7 +519,7 @@ pub async fn run_benchmarks_with_watch(
// `PermissionsContainer` - otherwise granting/revoking permissions in one // `PermissionsContainer` - otherwise granting/revoking permissions in one
// file would have impact on other files, which is undesirable. // file would have impact on other files, which is undesirable.
let permissions = let permissions =
Permissions::from_options(&cli_options.permissions_options())?; Permissions::from_options(&cli_options.permissions_options()?)?;
let graph = module_graph_creator let graph = module_graph_creator
.create_graph(graph_kind, bench_modules) .create_graph(graph_kind, bench_modules)

View file

@ -426,7 +426,7 @@ async fn resolve_shim_data(
executable_args.push("--cached-only".to_string()); executable_args.push("--cached-only".to_string());
} }
if resolve_no_prompt(flags) { if resolve_no_prompt(&flags.permissions) {
executable_args.push("--no-prompt".to_string()); executable_args.push("--no-prompt".to_string());
} }
@ -527,6 +527,7 @@ fn is_in_path(dir: &Path) -> bool {
mod tests { mod tests {
use super::*; use super::*;
use crate::args::PermissionFlags;
use crate::args::UninstallFlagsGlobal; use crate::args::UninstallFlagsGlobal;
use crate::args::UnstableConfig; use crate::args::UnstableConfig;
use crate::util::fs::canonicalize_path; use crate::util::fs::canonicalize_path;
@ -878,8 +879,11 @@ mod tests {
async fn install_with_flags() { async fn install_with_flags() {
let shim_data = resolve_shim_data( let shim_data = resolve_shim_data(
&Flags { &Flags {
permissions: PermissionFlags {
allow_net: Some(vec![]), allow_net: Some(vec![]),
allow_read: Some(vec![]), allow_read: Some(vec![]),
..Default::default()
},
type_check_mode: TypeCheckMode::None, type_check_mode: TypeCheckMode::None,
log_level: Some(Level::Error), log_level: Some(Level::Error),
..Flags::default() ..Flags::default()
@ -914,7 +918,10 @@ mod tests {
async fn install_prompt() { async fn install_prompt() {
let shim_data = resolve_shim_data( let shim_data = resolve_shim_data(
&Flags { &Flags {
permissions: PermissionFlags {
no_prompt: true, no_prompt: true,
..Default::default()
},
..Flags::default() ..Flags::default()
}, },
&InstallFlagsGlobal { &InstallFlagsGlobal {
@ -943,7 +950,10 @@ mod tests {
async fn install_allow_all() { async fn install_allow_all() {
let shim_data = resolve_shim_data( let shim_data = resolve_shim_data(
&Flags { &Flags {
permissions: PermissionFlags {
allow_all: true, allow_all: true,
..Default::default()
},
..Flags::default() ..Flags::default()
}, },
&InstallFlagsGlobal { &InstallFlagsGlobal {
@ -973,7 +983,10 @@ mod tests {
let temp_dir = canonicalize_path(&env::temp_dir()).unwrap(); let temp_dir = canonicalize_path(&env::temp_dir()).unwrap();
let shim_data = resolve_shim_data( let shim_data = resolve_shim_data(
&Flags { &Flags {
permissions: PermissionFlags {
allow_all: true, allow_all: true,
..Default::default()
},
..Flags::default() ..Flags::default()
}, },
&InstallFlagsGlobal { &InstallFlagsGlobal {
@ -1006,7 +1019,10 @@ mod tests {
async fn install_npm_no_lock() { async fn install_npm_no_lock() {
let shim_data = resolve_shim_data( let shim_data = resolve_shim_data(
&Flags { &Flags {
permissions: PermissionFlags {
allow_all: true, allow_all: true,
..Default::default()
},
no_lock: true, no_lock: true,
..Flags::default() ..Flags::default()
}, },

View file

@ -157,7 +157,7 @@ pub async fn run(flags: Flags, repl_flags: ReplFlags) -> Result<i32, AnyError> {
let cli_options = factory.cli_options(); let cli_options = factory.cli_options();
let main_module = cli_options.resolve_main_module()?; let main_module = cli_options.resolve_main_module()?;
let permissions = PermissionsContainer::new(Permissions::from_options( let permissions = PermissionsContainer::new(Permissions::from_options(
&cli_options.permissions_options(), &cli_options.permissions_options()?,
)?); )?);
let npm_resolver = factory.npm_resolver().await?.clone(); let npm_resolver = factory.npm_resolver().await?.clone();
let resolver = factory.resolver().await?.clone(); let resolver = factory.resolver().await?.clone();

View file

@ -65,7 +65,7 @@ To grant permissions, set them before the script argument. For example:
maybe_npm_install(&factory).await?; maybe_npm_install(&factory).await?;
let permissions = PermissionsContainer::new(Permissions::from_options( let permissions = PermissionsContainer::new(Permissions::from_options(
&cli_options.permissions_options(), &cli_options.permissions_options()?,
)?); )?);
let worker_factory = factory.create_cli_main_worker_factory().await?; let worker_factory = factory.create_cli_main_worker_factory().await?;
let mut worker = worker_factory let mut worker = worker_factory
@ -86,7 +86,7 @@ pub async fn run_from_stdin(flags: Flags) -> Result<i32, AnyError> {
let file_fetcher = factory.file_fetcher()?; let file_fetcher = factory.file_fetcher()?;
let worker_factory = factory.create_cli_main_worker_factory().await?; let worker_factory = factory.create_cli_main_worker_factory().await?;
let permissions = PermissionsContainer::new(Permissions::from_options( let permissions = PermissionsContainer::new(Permissions::from_options(
&cli_options.permissions_options(), &cli_options.permissions_options()?,
)?); )?);
let mut source = Vec::new(); let mut source = Vec::new();
std::io::stdin().read_to_end(&mut source)?; std::io::stdin().read_to_end(&mut source)?;
@ -132,7 +132,7 @@ async fn run_with_watch(
let _ = watcher_communicator.watch_paths(cli_options.watch_paths()); let _ = watcher_communicator.watch_paths(cli_options.watch_paths());
let permissions = PermissionsContainer::new(Permissions::from_options( let permissions = PermissionsContainer::new(Permissions::from_options(
&cli_options.permissions_options(), &cli_options.permissions_options()?,
)?); )?);
let mut worker = factory let mut worker = factory
.create_cli_main_worker_factory() .create_cli_main_worker_factory()
@ -182,7 +182,7 @@ pub async fn eval_command(
}); });
let permissions = PermissionsContainer::new(Permissions::from_options( let permissions = PermissionsContainer::new(Permissions::from_options(
&cli_options.permissions_options(), &cli_options.permissions_options()?,
)?); )?);
let worker_factory = factory.create_cli_main_worker_factory().await?; let worker_factory = factory.create_cli_main_worker_factory().await?;
let mut worker = worker_factory let mut worker = worker_factory

View file

@ -1704,7 +1704,7 @@ pub async fn run_tests(
// `PermissionsContainer` - otherwise granting/revoking permissions in one // `PermissionsContainer` - otherwise granting/revoking permissions in one
// file would have impact on other files, which is undesirable. // file would have impact on other files, which is undesirable.
let permissions = let permissions =
Permissions::from_options(&cli_options.permissions_options())?; Permissions::from_options(&cli_options.permissions_options()?)?;
let log_level = cli_options.log_level(); let log_level = cli_options.log_level();
let specifiers_with_mode = fetch_specifiers_with_test_mode( let specifiers_with_mode = fetch_specifiers_with_test_mode(
@ -1834,7 +1834,7 @@ pub async fn run_tests_with_watch(
}?; }?;
let permissions = let permissions =
Permissions::from_options(&cli_options.permissions_options())?; Permissions::from_options(&cli_options.permissions_options()?)?;
let graph = module_graph_creator let graph = module_graph_creator
.create_graph(graph_kind, test_modules) .create_graph(graph_kind, test_modules)
.await?; .await?;

View file

@ -0,0 +1,26 @@
{
"tempDir": true,
"steps": [{
"if": "unix",
"args": "compile --output=main --no-prompt --allow-read=a.txt main.ts",
"output": "[WILDCARD]"
}, {
"if": "unix",
"commandName": "./main",
"args": [],
"output": "No such file[WILDCARD]"
}, {
"if": "unix",
"args": [
"eval",
"Deno.mkdirSync('sub_dir');"
],
"output": "[WILDCARD]"
}, {
"if": "unix",
"commandName": "../main",
"cwd": "sub_dir",
"args": [],
"output": "No such file[WILDCARD]"
}]
}

View file

@ -0,0 +1,5 @@
try {
Deno.readTextFileSync("a.txt");
} catch (err) {
console.log(err.message);
}