mirror of
https://github.com/denoland/deno.git
synced 2024-11-28 16:20:57 -05:00
fix(compile): relative permissions should be retained as relative (#23719)
Closes #23715
This commit is contained in:
parent
f698bc70e2
commit
2dcbef2abb
12 changed files with 624 additions and 364 deletions
File diff suppressed because it is too large
Load diff
|
@ -1524,10 +1524,6 @@ impl CliOptions {
|
||||||
&self.flags.cache_path
|
&self.flags.cache_path
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn no_prompt(&self) -> bool {
|
|
||||||
resolve_no_prompt(&self.flags)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn no_remote(&self) -> bool {
|
pub fn no_remote(&self) -> bool {
|
||||||
self.flags.no_remote
|
self.flags.no_remote
|
||||||
}
|
}
|
||||||
|
@ -1540,45 +1536,12 @@ impl CliOptions {
|
||||||
self.flags.config_flag == deno_config::ConfigFlag::Disabled
|
self.flags.config_flag == deno_config::ConfigFlag::Disabled
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn permissions_options(&self) -> PermissionsOptions {
|
pub fn permission_flags(&self) -> &PermissionFlags {
|
||||||
PermissionsOptions {
|
&self.flags.permissions
|
||||||
allow_all: self.flags.allow_all,
|
|
||||||
allow_env: self.flags.allow_env.clone(),
|
|
||||||
deny_env: self.flags.deny_env.clone(),
|
|
||||||
allow_hrtime: self.flags.allow_hrtime,
|
|
||||||
deny_hrtime: self.flags.deny_hrtime,
|
|
||||||
allow_net: self.flags.allow_net.clone(),
|
|
||||||
deny_net: self.flags.deny_net.clone(),
|
|
||||||
allow_ffi: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.allow_ffi,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
deny_ffi: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.deny_ffi,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
allow_read: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.allow_read,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
deny_read: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.deny_read,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
allow_run: self.flags.allow_run.clone(),
|
|
||||||
deny_run: self.flags.deny_run.clone(),
|
|
||||||
allow_sys: self.flags.allow_sys.clone(),
|
|
||||||
deny_sys: self.flags.deny_sys.clone(),
|
|
||||||
allow_write: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.allow_write,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
deny_write: convert_option_str_to_path_buf(
|
|
||||||
&self.flags.deny_write,
|
|
||||||
self.initial_cwd(),
|
|
||||||
),
|
|
||||||
prompt: !self.no_prompt(),
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn permissions_options(&self) -> Result<PermissionsOptions, AnyError> {
|
||||||
|
self.flags.permissions.to_options(Some(&self.initial_cwd))
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn reload_flag(&self) -> bool {
|
pub fn reload_flag(&self) -> bool {
|
||||||
|
@ -1871,7 +1834,7 @@ fn resolve_files(
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Resolves the no_prompt value based on the cli flags and environment.
|
/// Resolves the no_prompt value based on the cli flags and environment.
|
||||||
pub fn resolve_no_prompt(flags: &Flags) -> bool {
|
pub fn resolve_no_prompt(flags: &PermissionFlags) -> bool {
|
||||||
flags.no_prompt || has_flag_env_var("DENO_NO_PROMPT")
|
flags.no_prompt || has_flag_env_var("DENO_NO_PROMPT")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1887,20 +1850,6 @@ pub fn npm_pkg_req_ref_to_binary_command(
|
||||||
binary_name.to_string()
|
binary_name.to_string()
|
||||||
}
|
}
|
||||||
|
|
||||||
fn convert_option_str_to_path_buf(
|
|
||||||
flag: &Option<Vec<String>>,
|
|
||||||
initial_cwd: &Path,
|
|
||||||
) -> Option<Vec<PathBuf>> {
|
|
||||||
if let Some(allow_ffi_paths) = &flag {
|
|
||||||
let mut full_paths = Vec::new();
|
|
||||||
full_paths
|
|
||||||
.extend(allow_ffi_paths.iter().map(|path| initial_cwd.join(path)));
|
|
||||||
Some(full_paths)
|
|
||||||
} else {
|
|
||||||
None
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod test {
|
mod test {
|
||||||
use crate::util::fs::FileCollector;
|
use crate::util::fs::FileCollector;
|
||||||
|
|
|
@ -218,7 +218,7 @@ impl TestRun {
|
||||||
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
||||||
// file would have impact on other files, which is undesirable.
|
// file would have impact on other files, which is undesirable.
|
||||||
let permissions =
|
let permissions =
|
||||||
Permissions::from_options(&factory.cli_options().permissions_options())?;
|
Permissions::from_options(&factory.cli_options().permissions_options()?)?;
|
||||||
test::check_specifiers(
|
test::check_specifiers(
|
||||||
factory.cli_options(),
|
factory.cli_options(),
|
||||||
factory.file_fetcher()?,
|
factory.file_fetcher()?,
|
||||||
|
|
|
@ -24,7 +24,6 @@ use deno_core::futures::AsyncSeekExt;
|
||||||
use deno_core::serde_json;
|
use deno_core::serde_json;
|
||||||
use deno_core::url::Url;
|
use deno_core::url::Url;
|
||||||
use deno_npm::NpmSystemInfo;
|
use deno_npm::NpmSystemInfo;
|
||||||
use deno_runtime::permissions::PermissionsOptions;
|
|
||||||
use deno_semver::package::PackageReq;
|
use deno_semver::package::PackageReq;
|
||||||
use deno_semver::VersionReqSpecifierParseError;
|
use deno_semver::VersionReqSpecifierParseError;
|
||||||
use log::Level;
|
use log::Level;
|
||||||
|
@ -37,6 +36,7 @@ use crate::args::CaData;
|
||||||
use crate::args::CliOptions;
|
use crate::args::CliOptions;
|
||||||
use crate::args::CompileFlags;
|
use crate::args::CompileFlags;
|
||||||
use crate::args::PackageJsonDepsProvider;
|
use crate::args::PackageJsonDepsProvider;
|
||||||
|
use crate::args::PermissionFlags;
|
||||||
use crate::args::UnstableConfig;
|
use crate::args::UnstableConfig;
|
||||||
use crate::cache::DenoDir;
|
use crate::cache::DenoDir;
|
||||||
use crate::file_fetcher::FileFetcher;
|
use crate::file_fetcher::FileFetcher;
|
||||||
|
@ -134,7 +134,7 @@ pub enum NodeModules {
|
||||||
pub struct Metadata {
|
pub struct Metadata {
|
||||||
pub argv: Vec<String>,
|
pub argv: Vec<String>,
|
||||||
pub seed: Option<u64>,
|
pub seed: Option<u64>,
|
||||||
pub permissions: PermissionsOptions,
|
pub permissions: PermissionFlags,
|
||||||
pub location: Option<Url>,
|
pub location: Option<Url>,
|
||||||
pub v8_flags: Vec<String>,
|
pub v8_flags: Vec<String>,
|
||||||
pub log_level: Option<Level>,
|
pub log_level: Option<Level>,
|
||||||
|
@ -621,7 +621,7 @@ impl<'a> DenoCompileBinaryWriter<'a> {
|
||||||
argv: compile_flags.args.clone(),
|
argv: compile_flags.args.clone(),
|
||||||
seed: cli_options.seed(),
|
seed: cli_options.seed(),
|
||||||
location: cli_options.location_flag().clone(),
|
location: cli_options.location_flag().clone(),
|
||||||
permissions: cli_options.permissions_options(),
|
permissions: cli_options.permission_flags().clone(),
|
||||||
v8_flags: cli_options.v8_flags().clone(),
|
v8_flags: cli_options.v8_flags().clone(),
|
||||||
unsafely_ignore_certificate_errors: cli_options
|
unsafely_ignore_certificate_errors: cli_options
|
||||||
.unsafely_ignore_certificate_errors()
|
.unsafely_ignore_certificate_errors()
|
||||||
|
|
|
@ -499,7 +499,9 @@ pub async fn run(
|
||||||
};
|
};
|
||||||
|
|
||||||
let permissions = {
|
let permissions = {
|
||||||
let mut permissions = metadata.permissions;
|
let maybe_cwd = std::env::current_dir().ok();
|
||||||
|
let mut permissions =
|
||||||
|
metadata.permissions.to_options(maybe_cwd.as_deref())?;
|
||||||
// if running with an npm vfs, grant read access to it
|
// if running with an npm vfs, grant read access to it
|
||||||
if let Some(vfs_root) = maybe_vfs_root {
|
if let Some(vfs_root) = maybe_vfs_root {
|
||||||
match &mut permissions.allow_read {
|
match &mut permissions.allow_read {
|
||||||
|
|
|
@ -433,7 +433,7 @@ pub async fn run_benchmarks(
|
||||||
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
||||||
// file would have impact on other files, which is undesirable.
|
// file would have impact on other files, which is undesirable.
|
||||||
let permissions =
|
let permissions =
|
||||||
Permissions::from_options(&cli_options.permissions_options())?;
|
Permissions::from_options(&cli_options.permissions_options()?)?;
|
||||||
|
|
||||||
let specifiers = collect_specifiers(
|
let specifiers = collect_specifiers(
|
||||||
bench_options.files,
|
bench_options.files,
|
||||||
|
@ -519,7 +519,7 @@ pub async fn run_benchmarks_with_watch(
|
||||||
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
||||||
// file would have impact on other files, which is undesirable.
|
// file would have impact on other files, which is undesirable.
|
||||||
let permissions =
|
let permissions =
|
||||||
Permissions::from_options(&cli_options.permissions_options())?;
|
Permissions::from_options(&cli_options.permissions_options()?)?;
|
||||||
|
|
||||||
let graph = module_graph_creator
|
let graph = module_graph_creator
|
||||||
.create_graph(graph_kind, bench_modules)
|
.create_graph(graph_kind, bench_modules)
|
||||||
|
|
|
@ -426,7 +426,7 @@ async fn resolve_shim_data(
|
||||||
executable_args.push("--cached-only".to_string());
|
executable_args.push("--cached-only".to_string());
|
||||||
}
|
}
|
||||||
|
|
||||||
if resolve_no_prompt(flags) {
|
if resolve_no_prompt(&flags.permissions) {
|
||||||
executable_args.push("--no-prompt".to_string());
|
executable_args.push("--no-prompt".to_string());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -527,6 +527,7 @@ fn is_in_path(dir: &Path) -> bool {
|
||||||
mod tests {
|
mod tests {
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
||||||
|
use crate::args::PermissionFlags;
|
||||||
use crate::args::UninstallFlagsGlobal;
|
use crate::args::UninstallFlagsGlobal;
|
||||||
use crate::args::UnstableConfig;
|
use crate::args::UnstableConfig;
|
||||||
use crate::util::fs::canonicalize_path;
|
use crate::util::fs::canonicalize_path;
|
||||||
|
@ -878,8 +879,11 @@ mod tests {
|
||||||
async fn install_with_flags() {
|
async fn install_with_flags() {
|
||||||
let shim_data = resolve_shim_data(
|
let shim_data = resolve_shim_data(
|
||||||
&Flags {
|
&Flags {
|
||||||
|
permissions: PermissionFlags {
|
||||||
allow_net: Some(vec![]),
|
allow_net: Some(vec![]),
|
||||||
allow_read: Some(vec![]),
|
allow_read: Some(vec![]),
|
||||||
|
..Default::default()
|
||||||
|
},
|
||||||
type_check_mode: TypeCheckMode::None,
|
type_check_mode: TypeCheckMode::None,
|
||||||
log_level: Some(Level::Error),
|
log_level: Some(Level::Error),
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
|
@ -914,7 +918,10 @@ mod tests {
|
||||||
async fn install_prompt() {
|
async fn install_prompt() {
|
||||||
let shim_data = resolve_shim_data(
|
let shim_data = resolve_shim_data(
|
||||||
&Flags {
|
&Flags {
|
||||||
|
permissions: PermissionFlags {
|
||||||
no_prompt: true,
|
no_prompt: true,
|
||||||
|
..Default::default()
|
||||||
|
},
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
},
|
},
|
||||||
&InstallFlagsGlobal {
|
&InstallFlagsGlobal {
|
||||||
|
@ -943,7 +950,10 @@ mod tests {
|
||||||
async fn install_allow_all() {
|
async fn install_allow_all() {
|
||||||
let shim_data = resolve_shim_data(
|
let shim_data = resolve_shim_data(
|
||||||
&Flags {
|
&Flags {
|
||||||
|
permissions: PermissionFlags {
|
||||||
allow_all: true,
|
allow_all: true,
|
||||||
|
..Default::default()
|
||||||
|
},
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
},
|
},
|
||||||
&InstallFlagsGlobal {
|
&InstallFlagsGlobal {
|
||||||
|
@ -973,7 +983,10 @@ mod tests {
|
||||||
let temp_dir = canonicalize_path(&env::temp_dir()).unwrap();
|
let temp_dir = canonicalize_path(&env::temp_dir()).unwrap();
|
||||||
let shim_data = resolve_shim_data(
|
let shim_data = resolve_shim_data(
|
||||||
&Flags {
|
&Flags {
|
||||||
|
permissions: PermissionFlags {
|
||||||
allow_all: true,
|
allow_all: true,
|
||||||
|
..Default::default()
|
||||||
|
},
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
},
|
},
|
||||||
&InstallFlagsGlobal {
|
&InstallFlagsGlobal {
|
||||||
|
@ -1006,7 +1019,10 @@ mod tests {
|
||||||
async fn install_npm_no_lock() {
|
async fn install_npm_no_lock() {
|
||||||
let shim_data = resolve_shim_data(
|
let shim_data = resolve_shim_data(
|
||||||
&Flags {
|
&Flags {
|
||||||
|
permissions: PermissionFlags {
|
||||||
allow_all: true,
|
allow_all: true,
|
||||||
|
..Default::default()
|
||||||
|
},
|
||||||
no_lock: true,
|
no_lock: true,
|
||||||
..Flags::default()
|
..Flags::default()
|
||||||
},
|
},
|
||||||
|
|
|
@ -157,7 +157,7 @@ pub async fn run(flags: Flags, repl_flags: ReplFlags) -> Result<i32, AnyError> {
|
||||||
let cli_options = factory.cli_options();
|
let cli_options = factory.cli_options();
|
||||||
let main_module = cli_options.resolve_main_module()?;
|
let main_module = cli_options.resolve_main_module()?;
|
||||||
let permissions = PermissionsContainer::new(Permissions::from_options(
|
let permissions = PermissionsContainer::new(Permissions::from_options(
|
||||||
&cli_options.permissions_options(),
|
&cli_options.permissions_options()?,
|
||||||
)?);
|
)?);
|
||||||
let npm_resolver = factory.npm_resolver().await?.clone();
|
let npm_resolver = factory.npm_resolver().await?.clone();
|
||||||
let resolver = factory.resolver().await?.clone();
|
let resolver = factory.resolver().await?.clone();
|
||||||
|
|
|
@ -65,7 +65,7 @@ To grant permissions, set them before the script argument. For example:
|
||||||
maybe_npm_install(&factory).await?;
|
maybe_npm_install(&factory).await?;
|
||||||
|
|
||||||
let permissions = PermissionsContainer::new(Permissions::from_options(
|
let permissions = PermissionsContainer::new(Permissions::from_options(
|
||||||
&cli_options.permissions_options(),
|
&cli_options.permissions_options()?,
|
||||||
)?);
|
)?);
|
||||||
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
||||||
let mut worker = worker_factory
|
let mut worker = worker_factory
|
||||||
|
@ -86,7 +86,7 @@ pub async fn run_from_stdin(flags: Flags) -> Result<i32, AnyError> {
|
||||||
let file_fetcher = factory.file_fetcher()?;
|
let file_fetcher = factory.file_fetcher()?;
|
||||||
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
||||||
let permissions = PermissionsContainer::new(Permissions::from_options(
|
let permissions = PermissionsContainer::new(Permissions::from_options(
|
||||||
&cli_options.permissions_options(),
|
&cli_options.permissions_options()?,
|
||||||
)?);
|
)?);
|
||||||
let mut source = Vec::new();
|
let mut source = Vec::new();
|
||||||
std::io::stdin().read_to_end(&mut source)?;
|
std::io::stdin().read_to_end(&mut source)?;
|
||||||
|
@ -132,7 +132,7 @@ async fn run_with_watch(
|
||||||
let _ = watcher_communicator.watch_paths(cli_options.watch_paths());
|
let _ = watcher_communicator.watch_paths(cli_options.watch_paths());
|
||||||
|
|
||||||
let permissions = PermissionsContainer::new(Permissions::from_options(
|
let permissions = PermissionsContainer::new(Permissions::from_options(
|
||||||
&cli_options.permissions_options(),
|
&cli_options.permissions_options()?,
|
||||||
)?);
|
)?);
|
||||||
let mut worker = factory
|
let mut worker = factory
|
||||||
.create_cli_main_worker_factory()
|
.create_cli_main_worker_factory()
|
||||||
|
@ -182,7 +182,7 @@ pub async fn eval_command(
|
||||||
});
|
});
|
||||||
|
|
||||||
let permissions = PermissionsContainer::new(Permissions::from_options(
|
let permissions = PermissionsContainer::new(Permissions::from_options(
|
||||||
&cli_options.permissions_options(),
|
&cli_options.permissions_options()?,
|
||||||
)?);
|
)?);
|
||||||
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
let worker_factory = factory.create_cli_main_worker_factory().await?;
|
||||||
let mut worker = worker_factory
|
let mut worker = worker_factory
|
||||||
|
|
|
@ -1704,7 +1704,7 @@ pub async fn run_tests(
|
||||||
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
// `PermissionsContainer` - otherwise granting/revoking permissions in one
|
||||||
// file would have impact on other files, which is undesirable.
|
// file would have impact on other files, which is undesirable.
|
||||||
let permissions =
|
let permissions =
|
||||||
Permissions::from_options(&cli_options.permissions_options())?;
|
Permissions::from_options(&cli_options.permissions_options()?)?;
|
||||||
let log_level = cli_options.log_level();
|
let log_level = cli_options.log_level();
|
||||||
|
|
||||||
let specifiers_with_mode = fetch_specifiers_with_test_mode(
|
let specifiers_with_mode = fetch_specifiers_with_test_mode(
|
||||||
|
@ -1834,7 +1834,7 @@ pub async fn run_tests_with_watch(
|
||||||
}?;
|
}?;
|
||||||
|
|
||||||
let permissions =
|
let permissions =
|
||||||
Permissions::from_options(&cli_options.permissions_options())?;
|
Permissions::from_options(&cli_options.permissions_options()?)?;
|
||||||
let graph = module_graph_creator
|
let graph = module_graph_creator
|
||||||
.create_graph(graph_kind, test_modules)
|
.create_graph(graph_kind, test_modules)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
26
tests/specs/compile/relative_permissions/__test__.jsonc
Normal file
26
tests/specs/compile/relative_permissions/__test__.jsonc
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{
|
||||||
|
"tempDir": true,
|
||||||
|
"steps": [{
|
||||||
|
"if": "unix",
|
||||||
|
"args": "compile --output=main --no-prompt --allow-read=a.txt main.ts",
|
||||||
|
"output": "[WILDCARD]"
|
||||||
|
}, {
|
||||||
|
"if": "unix",
|
||||||
|
"commandName": "./main",
|
||||||
|
"args": [],
|
||||||
|
"output": "No such file[WILDCARD]"
|
||||||
|
}, {
|
||||||
|
"if": "unix",
|
||||||
|
"args": [
|
||||||
|
"eval",
|
||||||
|
"Deno.mkdirSync('sub_dir');"
|
||||||
|
],
|
||||||
|
"output": "[WILDCARD]"
|
||||||
|
}, {
|
||||||
|
"if": "unix",
|
||||||
|
"commandName": "../main",
|
||||||
|
"cwd": "sub_dir",
|
||||||
|
"args": [],
|
||||||
|
"output": "No such file[WILDCARD]"
|
||||||
|
}]
|
||||||
|
}
|
5
tests/specs/compile/relative_permissions/main.ts
Normal file
5
tests/specs/compile/relative_permissions/main.ts
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
try {
|
||||||
|
Deno.readTextFileSync("a.txt");
|
||||||
|
} catch (err) {
|
||||||
|
console.log(err.message);
|
||||||
|
}
|
Loading…
Reference in a new issue