From 9c9c58c84d1b4eb75003533d5879cf4d79694969 Mon Sep 17 00:00:00 2001 From: Daiki Ihara Date: Thu, 16 May 2019 23:39:19 +0900 Subject: [PATCH] Add permission whitelist docs (#2365) --- cli/flags.rs | 3 +++ website/manual.md | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/cli/flags.rs b/cli/flags.rs index 171c05ad0d..288e20b243 100644 --- a/cli/flags.rs +++ b/cli/flags.rs @@ -191,6 +191,9 @@ ability to spawn subprocesses. # run program with permission to read from disk and listen to network deno run --allow-net --allow-read https://deno.land/std/http/file_server.ts + # run program with permission to read whitelist files from disk and listen to nework + deno run --allow-net --allow-read=$(pwd) https://deno.land/std/http/file_server.ts + # run program with all permissions deno run -A https://deno.land/std/http/file_server.ts ", diff --git a/website/manual.md b/website/manual.md index 26c9072013..9ef767a749 100644 --- a/website/manual.md +++ b/website/manual.md @@ -357,6 +357,37 @@ And if you ever want to upgrade to the latest published version: $ file_server --reload ``` +### Permissions whitelist + +deno also provides permissions whitelist. + +This is an example to restrict File system access by whitelist. + +```shellsession +$ deno run --allow-read=/usr https://deno.land/std/examples/cat.ts /etc/passwd +⚠️ Deno requests read access to "/etc/passwd". Grant? [a/y/n/d (a = allow always, y = allow once, n = deny once, d = deny always)] +``` + +You can grant read permission under `/etc` dir + +```shellsession +$ deno run --allow-read=/etc https://deno.land/std/examples/cat.ts /etc/passwd +``` + +`--allow-write` works same as `--allow-read`. + +This is an example to restrict host. + +```ts +(async () => { + const result = await fetch("https://deno.land/std/examples/echo_server.ts"); +})(); +``` + +```shellsession +$ deno run --allow-net=deno.land allow-net-whitelist-example.ts +``` + ### Run subprocess [API Reference](https://deno.land/typedoc/index.html#run)