foster/denoland-deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 15:04:11 -05:00
Code Issues Packages 1 Wiki Activity

BREAKING(permissions): remove --allow-hrtime (#25367)

Browse source 
Remove `--allow-hrtime` and `--deny-hrtime`. We are doing this because
it is already possible to get access to high resolution timers through
workers and SharedArrayBuffer.

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
This commit is contained in:
Luca Casonato 2024-09-03 11:24:25 +02:00 committed by GitHub
parent b5695d02df
commit 5cf97f539b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
34 changed files with 30 additions and 270 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
cli/args/flags.rs
View file

@ -619,8 +619,6 @@ pub struct PermissionFlags {
pub allow_all: bool,
pub allow_env: Option<Vec<String>>,
pub deny_env: Option<Vec<String>>,
pub allow_hrtime: bool,
pub deny_hrtime: bool,
pub allow_ffi: Option<Vec<String>>,
pub deny_ffi: Option<Vec<String>>,
pub allow_net: Option<Vec<String>>,
@ -641,8 +639,6 @@ impl PermissionFlags {
self.allow_all
|| self.allow_env.is_some()
|| self.deny_env.is_some()
|| self.allow_hrtime
|| self.deny_hrtime
|| self.allow_ffi.is_some()
|| self.deny_ffi.is_some()
|| self.allow_net.is_some()
@ -690,8 +686,6 @@ impl PermissionFlags {
allow_all: self.allow_all,
allow_env: self.allow_env.clone(),
deny_env: self.deny_env.clone(),
allow_hrtime: self.allow_hrtime,
deny_hrtime: self.deny_hrtime,
allow_net: self.allow_net.clone(),
deny_net: self.deny_net.clone(),
allow_ffi: convert_option_str_to_path_buf(&self.allow_ffi, initial_cwd)?,
@ -905,14 +899,6 @@ impl Flags {
_ => {}
}
if self.permissions.allow_hrtime {
args.push("--allow-hrtime".to_string());
}
if self.permissions.deny_hrtime {
args.push("--deny-hrtime".to_string());
}
args
}
@ -996,8 +982,6 @@ impl Flags {
pub fn has_permission_in_argv(&self) -> bool {
self.argv.iter().any(|arg| {
arg == "--allow-all"
|| arg == "--allow-hrtime"
|| arg == "--deny-hrtime"
|| arg.starts_with("--allow-env")
|| arg.starts_with("--deny-env")
|| arg.starts_with("--allow-ffi")
@ -1025,7 +1009,6 @@ impl Flags {
self.permissions.allow_write = Some(vec![]);
self.permissions.allow_sys = Some(vec![]);
self.permissions.allow_ffi = Some(vec![]);
self.permissions.allow_hrtime = true;
}
pub fn resolve_watch_exclude_set(
@ -1393,7 +1376,6 @@ fn handle_repl_flags(flags: &mut Flags, repl_flags: ReplFlags) {
flags.permissions.allow_sys = Some(vec![]);
flags.permissions.allow_write = Some(vec![]);
flags.permissions.allow_ffi = Some(vec![]);
flags.permissions.allow_hrtime = true;
}
flags.subcommand = DenoSubcommand::Repl(repl_flags);
}
@ -3098,8 +3080,6 @@ Docs: <c>https://docs.deno.com/go/permissions</>
<p(245)>--allow-run | --allow-run="whoami,ps"</>
<g>--allow-ffi[=<<PATH>...]</> (Unstable) Allow loading dynamic libraries. Optionally specify allowed directories or files.
<p(245)>--allow-ffi | --allow-ffi="./libfoo.so"</>
<g>--allow-hrtime</> Allow high-resolution time measurement. Note: this can enable timing attacks and fingerprinting.
<p(245)>--allow-hrtime</>
<g> --deny-read[=<<PATH>...]</> Deny file system read access. Optionally specify denied paths.
<p(245)>--deny-read | --deny-read="/etc,/var/log.txt"</>
<g> --deny-write[=<<PATH>...]</> Deny file system write access. Optionally specify denied paths.
@ -3114,8 +3094,6 @@ Docs: <c>https://docs.deno.com/go/permissions</>
<p(245)>--deny-run | --deny-run="whoami,ps"</>
<g>--deny-ffi[=<<PATH>...]</> (Unstable) Deny loading dynamic libraries. Optionally specify denied directories or files.
<p(245)>--deny-ffi | --deny-ffi="./libfoo.so"</>
<g>--deny-hrtime</> Deny high-resolution time measurement.
<p(245)>--deny-hrtime</>
"#))
.arg(
Arg::new("allow-all")
@ -3312,14 +3290,14 @@ Docs: <c>https://docs.deno.com/go/permissions</>
Arg::new("allow-hrtime")
.long("allow-hrtime")
.action(ArgAction::SetTrue)
.help("Allow high-resolution time measurement. Note: this can enable timing attacks and fingerprinting")
.help("REMOVED in Deno 2.0")
.hide(true),
)
.arg(
Arg::new("deny-hrtime")
.long("deny-hrtime")
.action(ArgAction::SetTrue)
.help("Deny high-resolution time measurement. Note: this can prevent timing attacks and fingerprinting")
.help("REMOVED in Deno 2.0")
.hide(true),
)
.arg(
@ -4802,12 +4780,8 @@ fn permission_args_parse(flags: &mut Flags, matches: &mut ArgMatches) {
debug!("ffi denylist: {:#?}", &flags.permissions.deny_ffi);
}
if matches.get_flag("allow-hrtime") {
flags.permissions.allow_hrtime = true;
}
if matches.get_flag("deny-hrtime") {
flags.permissions.deny_hrtime = true;
if matches.get_flag("allow-hrtime") || matches.get_flag("deny-hrtime") {
log::warn!("⚠️ Warning: `allow-hrtime` and `deny-hrtime` have been removed in Deno 2, as high resolution time is now always allowed.");
}
if matches.get_flag("allow-all") {
@ -5784,7 +5758,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
code_cache_enabled: true,
@ -5856,44 +5829,6 @@ mod tests {
);
}
#[test]
fn allow_hrtime() {
let r = flags_from_vec(svec!["deno", "run", "--allow-hrtime", "gist.ts"]);
assert_eq!(
r.unwrap(),
Flags {
subcommand: DenoSubcommand::Run(RunFlags::new_default(
"gist.ts".to_string(),
)),
permissions: PermissionFlags {
allow_hrtime: true,
..Default::default()
},
code_cache_enabled: true,
..Flags::default()
}
);
}
#[test]
fn deny_hrtime() {
let r = flags_from_vec(svec!["deno", "run", "--deny-hrtime", "gist.ts"]);
assert_eq!(
r.unwrap(),
Flags {
subcommand: DenoSubcommand::Run(RunFlags::new_default(
"gist.ts".to_string(),
)),
permissions: PermissionFlags {
deny_hrtime: true,
..Default::default()
},
code_cache_enabled: true,
..Flags::default()
}
);
}
#[test]
fn double_hyphen() {
// notice that flags passed after double dash will not
@ -6717,7 +6652,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
..Flags::default()
@ -6744,7 +6678,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
..Flags::default()
@ -6776,7 +6709,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
ext: Some("ts".to_string()),
@ -6817,7 +6749,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
env_file: Some(".example.env".to_owned()),
@ -6852,7 +6783,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
..Flags::default()
@ -6886,7 +6816,6 @@ mod tests {
deny_write: None,
allow_ffi: Some(vec![]),
deny_ffi: None,
allow_hrtime: true,
..Default::default()
},
..Flags::default()
@ -6940,7 +6869,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
env_file: Some(".example.env".to_owned()),
@ -10312,7 +10240,6 @@ mod tests {
allow_sys: Some(vec![]),
allow_write: Some(vec![]),
allow_ffi: Some(vec![]),
allow_hrtime: true,
..Default::default()
},
..Flags::default()

26
cli/tsc/dts/lib.deno.ns.d.ts vendored
View file

@ -553,15 +553,6 @@ declare namespace Deno {
*/
sys?: "inherit" | boolean | string[];
/** Specifies if the `hrtime` permission should be requested or revoked.
* If set to `"inherit"`, the current `hrtime` permission will be inherited.
* If set to `true`, the global `hrtime` permission will be requested.
* If set to `false`, the global `hrtime` permission will be revoked.
*
* @default {false}
*/
hrtime?: "inherit" | boolean;
/** Specifies if the `net` permission should be requested or revoked.
* if set to `"inherit"`, the current `net` permission will be inherited.
* if set to `true`, the global `net` permission will be requested.
@ -4741,8 +4732,7 @@ declare namespace Deno {
| "net"
| "env"
| "sys"
| "ffi"
| "hrtime";
| "ffi";
/** The current status of the permission:
*
@ -4873,17 +4863,6 @@ declare namespace Deno {
path?: string | URL;
}
/** The permission descriptor for the `allow-hrtime` and `deny-hrtime` permissions, which
* controls if the runtime code has access to high resolution time. High
* resolution time is considered sensitive information, because it can be used
* by malicious code to gain information about the host that it might not
* otherwise have access to.
*
* @category Permissions */
export interface HrtimePermissionDescriptor {
name: "hrtime";
}
/** Permission descriptors which define a permission and can be queried,
* requested, or revoked.
*
@ -4899,8 +4878,7 @@ declare namespace Deno {
| NetPermissionDescriptor
| EnvPermissionDescriptor
| SysPermissionDescriptor
| FfiPermissionDescriptor
| HrtimePermissionDescriptor;
| FfiPermissionDescriptor;
/** The interface which defines what event types are supported by
* {@linkcode PermissionStatus} instances.

6
cli/tsc/dts/lib.deno.shared_globals.d.ts vendored
View file

@ -593,16 +593,12 @@ declare interface Performance extends EventTarget {
endMark?: string,
): PerformanceMeasure;
/** Returns a current time from Deno's start in milliseconds.
*
* Use the permission flag `--allow-hrtime` to return a precise value.
/** Returns a current time from Deno's start in fractional milliseconds.
*
* ```ts
* const t = performance.now();
* console.log(`${t} ms since start!`);
* ```
*
* @tags allow-hrtime
*/
now(): number;

2
ext/web/timers.rs
View file

@ -13,7 +13,7 @@ pub trait TimersPermission {
impl TimersPermission for deno_permissions::PermissionsContainer {
#[inline(always)]
fn allow_hrtime(&mut self) -> bool {
deno_permissions::PermissionsContainer::allow_hrtime(self)
true
}
}

5
runtime/js/10_permissions.js
View file

@ -37,7 +37,7 @@ const illegalConstructorKey = Symbol("illegalConstructorKey");
* @property {boolean} partial
*/
/** @type {ReadonlyArray<"read" | "write" | "net" | "env" | "sys" | "run" | "ffi" | "hrtime">} */
/** @type {ReadonlyArray<"read" | "write" | "net" | "env" | "sys" | "run" | "ffi">} */
const permissionNames = [
"read",
"write",
@ -46,7 +46,6 @@ const permissionNames = [
"sys",
"run",
"ffi",
"hrtime",
];
/**
@ -282,7 +281,7 @@ function serializePermissions(permissions) {
}
}
for (
const key of new SafeArrayIterator(["env", "hrtime", "net", "sys"])
const key of new SafeArrayIterator(["env", "net", "sys"])
) {
if (ArrayIsArray(permissions[key])) {
serializedPermissions[key] = ArrayPrototypeSlice(permissions[key]);

3
runtime/ops/permissions.rs
View file

@ -73,7 +73,6 @@ pub fn op_query_permission(
.query(args.kind.as_deref().map(parse_sys_kind).transpose()?),
"run" => permissions.run.query(args.command.as_deref()),
"ffi" => permissions.ffi.query(args.path.as_deref().map(Path::new)),
"hrtime" => permissions.hrtime.query(),
n => {
return Err(custom_error(
"ReferenceError",
@ -108,7 +107,6 @@ pub fn op_revoke_permission(
.revoke(args.kind.as_deref().map(parse_sys_kind).transpose()?),
"run" => permissions.run.revoke(args.command.as_deref()),
"ffi" => permissions.ffi.revoke(args.path.as_deref().map(Path::new)),
"hrtime" => permissions.hrtime.revoke(),
n => {
return Err(custom_error(
"ReferenceError",
@ -143,7 +141,6 @@ pub fn op_request_permission(
.request(args.kind.as_deref().map(parse_sys_kind).transpose()?),
"run" => permissions.run.request(args.command.as_deref()),
"ffi" => permissions.ffi.request(args.path.as_deref().map(Path::new)),
"hrtime" => permissions.hrtime.request(),
n => {
return Err(custom_error(
"ReferenceError",

93
runtime/permissions/lib.rs
View file

@ -1416,7 +1416,6 @@ pub struct Permissions {
pub run: UnaryPermission<RunDescriptor>,
pub ffi: UnaryPermission<FfiDescriptor>,
pub all: UnitPermission,
pub hrtime: UnitPermission,
}
#[derive(Clone, Debug, Eq, PartialEq, Default, Serialize, Deserialize)]
@ -1424,8 +1423,6 @@ pub struct PermissionsOptions {
pub allow_all: bool,
pub allow_env: Option<Vec<String>>,
pub deny_env: Option<Vec<String>>,
pub allow_hrtime: bool,
pub deny_hrtime: bool,
pub allow_net: Option<Vec<String>>,
pub deny_net: Option<Vec<String>>,
pub allow_ffi: Option<Vec<PathBuf>>,
@ -1460,19 +1457,6 @@ impl Permissions {
})
}
pub const fn new_hrtime(
allow_state: bool,
deny_state: bool,
) -> UnitPermission {
unit_permission_from_flag_bools(
allow_state,
deny_state,
"hrtime",
"high precision time",
false, // never prompt for hrtime
)
}
pub const fn new_all(allow_state: bool) -> UnitPermission {
unit_permission_from_flag_bools(
allow_state,
@ -1521,7 +1505,6 @@ impl Permissions {
opts.prompt,
)?,
all: Permissions::new_all(opts.allow_all),
hrtime: Permissions::new_hrtime(opts.allow_hrtime, opts.deny_hrtime),
})
}
@ -1536,7 +1519,6 @@ impl Permissions {
run: UnaryPermission::allow_all(),
ffi: UnaryPermission::allow_all(),
all: Permissions::new_all(true),
hrtime: Permissions::new_hrtime(true, false),
}
}
@ -1560,7 +1542,6 @@ impl Permissions {
run: Permissions::new_unary(&None, &None, prompt).unwrap(),
ffi: Permissions::new_unary(&None, &None, prompt).unwrap(),
all: Permissions::new_all(false),
hrtime: Permissions::new_hrtime(false, false),
}
}
@ -1598,11 +1579,6 @@ impl PermissionsContainer {
Self(Arc::new(Mutex::new(perms)))
}
#[inline(always)]
pub fn allow_hrtime(&mut self) -> bool {
self.0.lock().hrtime.check().is_ok()
}
pub fn allow_all() -> Self {
Self::new(Permissions::allow_all())
}
@ -2115,7 +2091,6 @@ impl<'de> Deserialize<'de> for ChildUnaryPermissionArg {
#[derive(Debug, Eq, PartialEq)]
pub struct ChildPermissionsArg {
env: ChildUnaryPermissionArg,
hrtime: ChildUnitPermissionArg,
net: ChildUnaryPermissionArg,
ffi: ChildUnaryPermissionArg,
read: ChildUnaryPermissionArg,
@ -2128,7 +2103,6 @@ impl ChildPermissionsArg {
pub fn inherit() -> Self {
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
hrtime: ChildUnitPermissionArg::Inherit,
net: ChildUnaryPermissionArg::Inherit,
ffi: ChildUnaryPermissionArg::Inherit,
read: ChildUnaryPermissionArg::Inherit,
@ -2141,7 +2115,6 @@ impl ChildPermissionsArg {
pub fn none() -> Self {
ChildPermissionsArg {
env: ChildUnaryPermissionArg::NotGranted,
hrtime: ChildUnitPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::NotGranted,
ffi: ChildUnaryPermissionArg::NotGranted,
read: ChildUnaryPermissionArg::NotGranted,
@ -2198,11 +2171,6 @@ impl<'de> Deserialize<'de> for ChildPermissionsArg {
child_permissions_arg.env = arg.map_err(|e| {
de::Error::custom(format!("(deno.permissions.env) {e}"))
})?;
} else if key == "hrtime" {
let arg = serde_json::from_value::<ChildUnitPermissionArg>(value);
child_permissions_arg.hrtime = arg.map_err(|e| {
de::Error::custom(format!("(deno.permissions.hrtime) {e}"))
})?;
} else if key == "net" {
let arg = serde_json::from_value::<ChildUnaryPermissionArg>(value);
child_permissions_arg.net = arg.map_err(|e| {
@ -2258,13 +2226,6 @@ pub fn create_child_permissions(
}
}
fn is_granted_unit(arg: &ChildUnitPermissionArg) -> bool {
match arg {
ChildUnitPermissionArg::Inherit | ChildUnitPermissionArg::Granted => true,
ChildUnitPermissionArg::NotGranted => false,
}
}
let mut worker_perms = Permissions::none_without_prompt();
worker_perms.all = main_perms
@ -2282,9 +2243,7 @@ pub fn create_child_permissions(
&child_permissions_arg.run,
&child_permissions_arg.ffi,
];
let unit_perms = [&child_permissions_arg.hrtime];
let allow_all = unary_perms.into_iter().all(is_granted_unary)
&& unit_perms.into_iter().all(is_granted_unit);
let allow_all = unary_perms.into_iter().all(is_granted_unary);
if !allow_all {
worker_perms.all.revoke();
}
@ -2313,9 +2272,6 @@ pub fn create_child_permissions(
worker_perms.ffi = main_perms
.ffi
.create_child_permissions(child_permissions_arg.ffi)?;
worker_perms.hrtime = main_perms
.hrtime
.create_child_permissions(child_permissions_arg.hrtime)?;
Ok(worker_perms)
}
@ -2747,7 +2703,6 @@ mod tests {
.unwrap(),
run: Permissions::new_unary(&Some(svec!["deno"]), &None, false).unwrap(),
all: Permissions::new_all(false),
hrtime: Permissions::new_hrtime(false, false),
};
let perms3 = Permissions {
read: Permissions::new_unary(
@ -2775,7 +2730,6 @@ mod tests {
.unwrap(),
run: Permissions::new_unary(&None, &Some(svec!["deno"]), false).unwrap(),
all: Permissions::new_all(false),
hrtime: Permissions::new_hrtime(false, true),
};
let perms4 = Permissions {
read: Permissions::new_unary(
@ -2813,7 +2767,6 @@ mod tests {
run: Permissions::new_unary(&Some(vec![]), &Some(svec!["deno"]), false)
.unwrap(),
all: Permissions::new_all(false),
hrtime: Permissions::new_hrtime(true, true),
};
#[rustfmt::skip]
{
@ -2889,10 +2842,6 @@ mod tests {
assert_eq!(perms4.run.query(None), PermissionState::GrantedPartial);
assert_eq!(perms4.run.query(Some("deno")), PermissionState::Denied);
assert_eq!(perms4.run.query(Some("node")), PermissionState::Granted);
assert_eq!(perms1.hrtime.query(), PermissionState::Granted);
assert_eq!(perms2.hrtime.query(), PermissionState::Prompt);
assert_eq!(perms3.hrtime.query(), PermissionState::Denied);
assert_eq!(perms4.hrtime.query(), PermissionState::Denied);
};
}
@ -2937,10 +2886,6 @@ mod tests {
assert_eq!(perms.run.query(None), PermissionState::Prompt);
prompt_value.set(false);
assert_eq!(perms.run.request(Some("deno")), PermissionState::Granted);
prompt_value.set(false);
assert_eq!(perms.hrtime.request(), PermissionState::Denied);
prompt_value.set(true);
assert_eq!(perms.hrtime.request(), PermissionState::Denied);
};
}
@ -2977,7 +2922,6 @@ mod tests {
.unwrap(),
run: Permissions::new_unary(&Some(svec!["deno"]), &None, false).unwrap(),
all: Permissions::new_all(false),
hrtime: Permissions::new_hrtime(false, true),
};
#[rustfmt::skip]
{
@ -2996,7 +2940,6 @@ mod tests {
assert_eq!(perms.env.revoke(Some("HOME")), PermissionState::Prompt);
assert_eq!(perms.env.revoke(Some("hostname")), PermissionState::Prompt);
assert_eq!(perms.run.revoke(Some("deno")), PermissionState::Prompt);
assert_eq!(perms.hrtime.revoke(), PermissionState::Denied);
};
}
@ -3080,8 +3023,6 @@ mod tests {
prompt_value.set(false);
assert!(perms.env.check("hostname", None).is_ok());
assert!(perms.env.check("osRelease", None).is_err());
assert!(perms.hrtime.check().is_err());
}
#[test]
@ -3183,11 +3124,6 @@ mod tests {
assert!(perms.sys.check("osRelease", None).is_ok());
prompt_value.set(false);
assert!(perms.sys.check("osRelease", None).is_ok());
prompt_value.set(false);
assert!(perms.hrtime.check().is_err());
prompt_value.set(true);
assert!(perms.hrtime.check().is_err());
}
#[test]
@ -3278,7 +3214,6 @@ mod tests {
ChildPermissionsArg::inherit(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
hrtime: ChildUnitPermissionArg::Inherit,
net: ChildUnaryPermissionArg::Inherit,
ffi: ChildUnaryPermissionArg::Inherit,
read: ChildUnaryPermissionArg::Inherit,
@ -3291,7 +3226,6 @@ mod tests {
ChildPermissionsArg::none(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::NotGranted,
hrtime: ChildUnitPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::NotGranted,
ffi: ChildUnaryPermissionArg::NotGranted,
read: ChildUnaryPermissionArg::NotGranted,
@ -3322,26 +3256,6 @@ mod tests {
..ChildPermissionsArg::none()
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"hrtime": true,
}))
.unwrap(),
ChildPermissionsArg {
hrtime: ChildUnitPermissionArg::Granted,
..ChildPermissionsArg::none()
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"hrtime": false,
}))
.unwrap(),
ChildPermissionsArg {
hrtime: ChildUnitPermissionArg::NotGranted,
..ChildPermissionsArg::none()
}
);
assert_eq!(
serde_json::from_value::<ChildPermissionsArg>(json!({
"env": true,
@ -3361,7 +3275,6 @@ mod tests {
run: ChildUnaryPermissionArg::Granted,
sys: ChildUnaryPermissionArg::Granted,
write: ChildUnaryPermissionArg::Granted,
..ChildPermissionsArg::none()
}
);
assert_eq!(
@ -3383,7 +3296,6 @@ mod tests {
run: ChildUnaryPermissionArg::NotGranted,
sys: ChildUnaryPermissionArg::NotGranted,
write: ChildUnaryPermissionArg::NotGranted,
..ChildPermissionsArg::none()
}
);
assert_eq!(
@ -3421,7 +3333,6 @@ mod tests {
"foo",
"file:///bar/baz"
]),
..ChildPermissionsArg::none()
}
);
}
@ -3431,7 +3342,6 @@ mod tests {
set_prompter(Box::new(TestPrompter));
let mut main_perms = Permissions {
env: Permissions::new_unary(&Some(vec![]), &None, false).unwrap(),
hrtime: Permissions::new_hrtime(true, false),
net: Permissions::new_unary(&Some(svec!["foo", "bar"]), &None, false)
.unwrap(),
..Permissions::none_without_prompt()
@ -3441,7 +3351,6 @@ mod tests {
&mut main_perms.clone(),
ChildPermissionsArg {
env: ChildUnaryPermissionArg::Inherit,
hrtime: ChildUnitPermissionArg::NotGranted,
net: ChildUnaryPermissionArg::GrantedList(svec!["foo"]),
ffi: ChildUnaryPermissionArg::NotGranted,
..ChildPermissionsArg::none()

9
tests/integration/run_tests.rs
View file

@ -153,11 +153,6 @@ itest!(_023_no_ext {
output: "run/023_no_ext.out",
});
itest!(_025_hrtime {
args: "run --quiet --allow-hrtime --reload run/025_hrtime.ts",
output: "run/025_hrtime.ts.out",
});
itest!(_025_reload_js_type_error {
args: "run --quiet --reload run/025_reload_js_type_error.js",
output: "run/025_reload_js_type_error.js.out",
@ -735,12 +730,12 @@ fn permission_request_long() {
}
itest!(deny_all_permission_args {
args: "run --deny-env --deny-read --deny-write --deny-ffi --deny-run --deny-sys --deny-net --deny-hrtime run/deny_all_permission_args.js",
args: "run --deny-env --deny-read --deny-write --deny-ffi --deny-run --deny-sys --deny-net run/deny_all_permission_args.js",
output: "run/deny_all_permission_args.out",
});
itest!(deny_some_permission_args {
args: "run --allow-env --deny-env=FOO --allow-read --deny-read=/foo --allow-write --deny-write=/foo --allow-ffi --deny-ffi=/foo --allow-run --deny-run=foo --allow-sys --deny-sys=hostname --allow-net --deny-net=127.0.0.1 --allow-hrtime --deny-hrtime run/deny_some_permission_args.js",
args: "run --allow-env --deny-env=FOO --allow-read --deny-read=/foo --allow-write --deny-write=/foo --allow-ffi --deny-ffi=/foo --allow-run --deny-run=foo --allow-sys --deny-sys=hostname --allow-net --deny-net=127.0.0.1 run/deny_some_permission_args.js",
output: "run/deny_some_permission_args.out",
});

6
tests/specs/bench/allow_all/allow_all.out
View file

@ -5,8 +5,8 @@ Runtime | Deno [WILDLINE] ([WILDLINE])
[WILDLINE]/allow_all.ts
benchmark time/iter (avg) iter/s (min … max) p75 p99 p995
-------------- ----------------------------- --------------------- --------------------------
benchmark time/iter (avg) iter/s (min … max) p75 p99 p995
------------- ----------------------------- --------------------- --------------------------
read false [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
read true [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
write false [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
@ -19,6 +19,4 @@ run false [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE
run true [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
ffi false [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
ffi true [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
hrtime false [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]
hrtime true [WILDLINE] [WILDLINE] [WILDLINE] ([WILDLINE] … [WILDLINE]) [WILDLINE]

1
tests/specs/bench/allow_all/allow_all.ts
View file

@ -7,7 +7,6 @@ const permissions: Deno.PermissionName[] = [
"env",
"run",
"ffi",
"hrtime",
];
for (const name of permissions) {

2
tests/specs/bench/allow_none/allow_none.out
View file

@ -18,6 +18,4 @@ run error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
ffi error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
hrtime error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
error: Bench failed

1
tests/specs/bench/allow_none/allow_none.ts
View file

@ -5,7 +5,6 @@ const permissions: Deno.PermissionName[] = [
"env",
"run",
"ffi",
"hrtime",
];
for (const name of permissions) {

1
tests/specs/bench/ignore_permissions/ignore_permissions.ts
View file

@ -7,7 +7,6 @@ Deno.bench({
env: true,
run: true,
ffi: true,
hrtime: true,
},
ignore: true,
fn() {

2
tests/testdata/bench/allow_all.out vendored
View file

@ -18,5 +18,3 @@ run false [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD
run true [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD]
ffi false [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD]
ffi true [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD]
hrtime false [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD]
hrtime true [WILDCARD] [WILDCARD] [WILDCARD] ([WILDCARD] … [WILDCARD]) [WILDCARD]

2
tests/testdata/bench/allow_none.out vendored
View file

@ -18,6 +18,4 @@ run error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
ffi error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
hrtime error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
error: Bench failed

5
tests/testdata/run/025_hrtime.ts vendored
View file

@ -1,5 +0,0 @@
globalThis.onload = async () => {
console.log(performance.now() % 2 !== 0);
await Deno.permissions.revoke({ name: "hrtime" });
console.log(performance.now() % 2 === 0);
};

2
tests/testdata/run/025_hrtime.ts.out vendored
View file

@ -1,2 +0,0 @@
true
true

1
tests/testdata/run/deny_all_permission_args.js vendored
View file

@ -5,4 +5,3 @@ console.log(Deno.permissions.querySync({ name: "ffi" }));
console.log(Deno.permissions.querySync({ name: "run" }));
console.log(Deno.permissions.querySync({ name: "sys" }));
console.log(Deno.permissions.querySync({ name: "net" }));
console.log(Deno.permissions.querySync({ name: "hrtime" }));

1
tests/testdata/run/deny_all_permission_args.out vendored
View file

@ -5,4 +5,3 @@ PermissionStatus { state: "denied", onchange: null }
PermissionStatus { state: "denied", onchange: null }
PermissionStatus { state: "denied", onchange: null }
PermissionStatus { state: "denied", onchange: null }
PermissionStatus { state: "denied", onchange: null }

1
tests/testdata/run/deny_some_permission_args.js vendored
View file

@ -19,4 +19,3 @@ console.log(Deno.permissions.querySync({ name: "sys", kind: "loadavg" }));
console.log(Deno.permissions.querySync({ name: "net" }));
console.log(Deno.permissions.querySync({ name: "net", host: "127.0.0.1" }));
console.log(Deno.permissions.querySync({ name: "net", host: "192.168.0.1" }));
console.log(Deno.permissions.querySync({ name: "hrtime" }));

1
tests/testdata/run/deny_some_permission_args.out vendored
View file

@ -19,4 +19,3 @@ PermissionStatus { state: "granted", onchange: null }
PermissionStatus { state: "granted", onchange: null, partial: true }
PermissionStatus { state: "denied", onchange: null }
PermissionStatus { state: "granted", onchange: null }
PermissionStatus { state: "denied", onchange: null }

6
tests/testdata/test/allow_all.out vendored
View file

@ -1,5 +1,5 @@
[WILDCARD]
running 14 tests from [WILDCARD]
running 12 tests from [WILDCARD]
read false ... ok [WILDCARD]
read true ... ok [WILDCARD]
write false ... ok [WILDCARD]
@ -12,7 +12,5 @@ run false ... ok [WILDCARD]
run true ... ok [WILDCARD]
ffi false ... ok [WILDCARD]
ffi true ... ok [WILDCARD]
hrtime false ... ok [WILDCARD]
hrtime true ... ok [WILDCARD]
ok | 14 passed | 0 failed [WILDCARD]
ok | 12 passed | 0 failed [WILDCARD]

1
tests/testdata/test/allow_all.ts vendored
View file

@ -7,7 +7,6 @@ const permissions: Deno.PermissionName[] = [
"env",
"run",
"ffi",
"hrtime",
];
for (const name of permissions) {

10
tests/testdata/test/allow_none.out vendored
View file

@ -1,12 +1,11 @@
[WILDCARD]
running 7 tests from [WILDCARD]
running 6 tests from [WILDCARD]
read ... FAILED [WILDCARD]
write ... FAILED [WILDCARD]
net ... FAILED [WILDCARD]
env ... FAILED [WILDCARD]
run ... FAILED [WILDCARD]
ffi ... FAILED [WILDCARD]
hrtime ... FAILED [WILDCARD]
ERRORS
@ -32,10 +31,6 @@ error: PermissionDenied: Can't escalate parent thread permissions
ffi => ./test/allow_none.ts:[WILDCARD]
error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
hrtime => ./test/allow_none.ts:[WILDCARD]
error: PermissionDenied: Can't escalate parent thread permissions
[WILDCARD]
FAILURES
@ -46,6 +41,5 @@ net => ./test/allow_none.ts:[WILDCARD]
env => ./test/allow_none.ts:[WILDCARD]
run => ./test/allow_none.ts:[WILDCARD]
ffi => ./test/allow_none.ts:[WILDCARD]
hrtime => ./test/allow_none.ts:[WILDCARD]
FAILED | 0 passed | 7 failed [WILDCARD]
FAILED | 0 passed | 6 failed [WILDCARD]

1
tests/testdata/test/allow_none.ts vendored
View file

@ -7,7 +7,6 @@ const permissions: Deno.PermissionName[] = [
"env",
"run",
"ffi",
"hrtime",
];
for (const name of permissions) {

1
tests/testdata/test/ignore_permissions.ts vendored
View file

@ -7,7 +7,6 @@ Deno.test({
env: true,
run: true,
ffi: true,
hrtime: true,
},
ignore: true,
fn() {

4
tests/testdata/workers/no_permissions_worker.js vendored
View file

@ -1,13 +1,11 @@
self.onmessage = async () => {
const hrtime = await Deno.permissions.query({ name: "hrtime" });
const net = await Deno.permissions.query({ name: "net" });
const ffi = await Deno.permissions.query({ name: "ffi" });
const read = await Deno.permissions.query({ name: "read" });
const run = await Deno.permissions.query({ name: "run" });
const write = await Deno.permissions.query({ name: "write" });
self.postMessage(
hrtime.state === "prompt" &&
net.state === "prompt" &&
net.state === "prompt" &&
ffi.state === "prompt" &&
read.state === "prompt" &&
run.state === "prompt" &&

2
tests/testdata/workers/permission_echo.js vendored
View file

@ -1,7 +1,6 @@
self.onmessage = async () => {
const env = await Deno.permissions.query({ name: "env" });
const ffi = await Deno.permissions.query({ name: "ffi" });
const hrtime = await Deno.permissions.query({ name: "hrtime" });
const net = await Deno.permissions.query({ name: "net" });
const read = await Deno.permissions.query({ name: "read" });
const run = await Deno.permissions.query({ name: "run" });
@ -9,7 +8,6 @@ self.onmessage = async () => {
self.postMessage({
env: env.state,
ffi: ffi.state,
hrtime: hrtime.state,
net: net.state,
read: read.state,
run: run.state,

1
tests/testdata/workers/read_check_granular_worker.js vendored
View file

@ -3,7 +3,6 @@ postMessage({
envGlobal: (await Deno.permissions.query({ name: "env" })).state,
envFoo: (await Deno.permissions.query({ name: "env", variable: "foo" })).state,
envAbsent: (await Deno.permissions.query({ name: "env", variable: "absent" })).state,
hrtime: (await Deno.permissions.query({ name: "hrtime" })).state,
netGlobal: (await Deno.permissions.query({ name: "net" })).state,
netFoo: (await Deno.permissions.query({ name: "net", host: "foo" })).state,
netFoo8000: (await Deno.permissions.query({ name: "net", host: "foo:8000" })).state,

4
tests/unit/files_test.ts
View file

@ -782,14 +782,14 @@ Deno.test({ permissions: { read: true } }, function fsFileIsTerminal() {
});
Deno.test(
{ permissions: { read: true, run: true, hrtime: true } },
{ permissions: { read: true, run: true } },
async function fsFileLockFileSync() {
await runFlockTests({ sync: true });
},
);
Deno.test(
{ permissions: { read: true, run: true, hrtime: true } },
{ permissions: { read: true, run: true } },
async function fsFileLockFileAsync() {
await runFlockTests({ sync: false });
},

2
tests/unit/performance_test.ts
View file

@ -7,7 +7,7 @@ import {
assertThrows,
} from "./test_util.ts";
Deno.test({ permissions: { hrtime: false } }, async function performanceNow() {
Deno.test({ permissions: {} }, async function performanceNow() {
const { promise, resolve } = Promise.withResolvers<void>();
const start = performance.now();
let totalTime = 0;

10
tests/unit/permissions_test.ts
View file

@ -70,7 +70,7 @@ Deno.test(function permissionSysInvalidKindSync() {
});
Deno.test(async function permissionQueryReturnsEventTarget() {
const status = await Deno.permissions.query({ name: "hrtime" });
const status = await Deno.permissions.query({ name: "read", path: "." });
assert(["granted", "denied", "prompt"].includes(status.state));
let called = false;
status.addEventListener("change", () => {
@ -78,11 +78,13 @@ Deno.test(async function permissionQueryReturnsEventTarget() {
});
status.dispatchEvent(new Event("change"));
assert(called);
assert(status === (await Deno.permissions.query({ name: "hrtime" })));
assert(
status === (await Deno.permissions.query({ name: "read", path: "." })),
);
});
Deno.test(function permissionQueryReturnsEventTargetSync() {
const status = Deno.permissions.querySync({ name: "hrtime" });
const status = Deno.permissions.querySync({ name: "read", path: "." });
assert(["granted", "denied", "prompt"].includes(status.state));
let called = false;
status.addEventListener("change", () => {
@ -90,7 +92,7 @@ Deno.test(function permissionQueryReturnsEventTargetSync() {
});
status.dispatchEvent(new Event("change"));
assert(called);
assert(status === Deno.permissions.querySync({ name: "hrtime" }));
assert(status === Deno.permissions.querySync({ name: "read", path: "." }));
});
Deno.test(async function permissionQueryForReadReturnsSameStatus() {

5
tests/unit/worker_test.ts
View file

@ -451,7 +451,6 @@ Deno.test("Worker limit children permissions granularly", async function () {
deno: {
permissions: {
env: ["foo"],
hrtime: true,
net: ["foo", "bar:8000"],
ffi: [new URL("foo", workerUrl), "bar"],
read: [new URL("foo", workerUrl), "bar"],
@ -468,7 +467,6 @@ Deno.test("Worker limit children permissions granularly", async function () {
envGlobal: "prompt",
envFoo: "granted",
envAbsent: "prompt",
hrtime: "granted",
netGlobal: "prompt",
netFoo: "granted",
netFoo8000: "granted",
@ -508,7 +506,6 @@ Deno.test("Nested worker limit children permissions", async function () {
envGlobal: "prompt",
envFoo: "prompt",
envAbsent: "prompt",
hrtime: "prompt",
netGlobal: "prompt",
netFoo: "prompt",
netFoo8000: "prompt",
@ -586,7 +583,6 @@ Deno.test("Worker permissions are not inherited with empty permission object", a
worker.postMessage(null);
assertEquals(await promise, {
env: "prompt",
hrtime: "prompt",
net: "prompt",
ffi: "prompt",
read: "prompt",
@ -611,7 +607,6 @@ Deno.test("Worker permissions are not inherited with single specified permission
worker.postMessage(null);
assertEquals(await promise, {
env: "prompt",
hrtime: "prompt",
net: "granted",
ffi: "prompt",
read: "prompt",

2
tools/lint.js
View file

@ -221,7 +221,7 @@ async function ensureNoNewITests() {
"pm_tests.rs": 0,
"publish_tests.rs": 0,
"repl_tests.rs": 0,
"run_tests.rs": 352,
"run_tests.rs": 351,
"shared_library_tests.rs": 0,
"task_tests.rs": 30,
"test_tests.rs": 75,