From a8d1ab52761516b7f9b6069d6e433254794ed48c Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Fri, 27 Sep 2024 12:49:43 -0400
Subject: [PATCH] fix(flags): --allow-all should conflict with lower
 permissions (#25909)

Using `--allow-all` with other `--allow-x` permission flags should cause
an error since `--allow-all` is a superset of `--allow-x`.

Closes #25901
---
 cli/args/flags.rs                             | 27 +++++++++++++++++++
 .../permission/allow_import/__test__.jsonc    |  5 ++++
 .../specs/permission/allow_import/success.ts  |  3 +++
 3 files changed, 35 insertions(+)
 create mode 100644 tests/specs/permission/allow_import/success.ts

diff --git a/cli/args/flags.rs b/cli/args/flags.rs
index 4e151d7d9f..9938a09552 100644
--- a/cli/args/flags.rs
+++ b/cli/args/flags.rs
@@ -3603,6 +3603,14 @@ fn allow_all_arg() -> Arg {
   Arg::new("allow-all")
     .short('A')
     .long("allow-all")
+    .conflicts_with("allow-read")
+    .conflicts_with("allow-write")
+    .conflicts_with("allow-net")
+    .conflicts_with("allow-env")
+    .conflicts_with("allow-run")
+    .conflicts_with("allow-sys")
+    .conflicts_with("allow-ffi")
+    .conflicts_with("allow-import")
     .action(ArgAction::SetTrue)
     .help("Allow all permissions")
 }
@@ -11007,4 +11015,23 @@ Usage: deno repl [OPTIONS] [-- [ARGS]...]\n"
     );
     assert_eq!(parse("file:///example.com"), None);
   }
+
+  #[test]
+  fn allow_all_conflicts_allow_perms() {
+    let flags = [
+      "--allow-read",
+      "--allow-write",
+      "--allow-net",
+      "--allow-env",
+      "--allow-run",
+      "--allow-sys",
+      "--allow-ffi",
+      "--allow-import",
+    ];
+    for flag in flags {
+      let r =
+        flags_from_vec(svec!["deno", "run", "--allow-all", flag, "foo.ts"]);
+      assert!(r.is_err());
+    }
+  }
 }
diff --git a/tests/specs/permission/allow_import/__test__.jsonc b/tests/specs/permission/allow_import/__test__.jsonc
index 21a3cb7b59..4135a24be1 100644
--- a/tests/specs/permission/allow_import/__test__.jsonc
+++ b/tests/specs/permission/allow_import/__test__.jsonc
@@ -34,6 +34,11 @@
       "output": "run.out",
       "exitCode": 1
     },
+    "run_allow_all": {
+      "args": "run --quiet --allow-all success.ts",
+      "output": "3\n",
+      "exitCode": 0
+    },
     "serve": {
       "args": "serve main.ts",
       "output": "serve.out",
diff --git a/tests/specs/permission/allow_import/success.ts b/tests/specs/permission/allow_import/success.ts
new file mode 100644
index 0000000000..e83ab4b9b5
--- /dev/null
+++ b/tests/specs/permission/allow_import/success.ts
@@ -0,0 +1,3 @@
+import { add } from "http://localhost:4545/add.ts";
+
+console.log(add(1, 2));