1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-12-23 15:49:44 -05:00

fix(compile): implicit read permission to npm vfs (#19281)

Closes #19280
This commit is contained in:
David Sherret 2023-05-26 13:33:38 -04:00 committed by GitHub
parent a11681a9b0
commit d0c5ff42f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 87 additions and 11 deletions

View file

@ -311,7 +311,7 @@ pub async fn run(
http_client.clone(),
progress_bar.clone(),
));
let (fs, node_modules_path, snapshot) = if let Some(snapshot) =
let (fs, vfs_root, node_modules_path, snapshot) = if let Some(snapshot) =
metadata.npm_snapshot
{
let vfs_root_dir_path = if metadata.node_modules_dir {
@ -319,8 +319,8 @@ pub async fn run(
} else {
npm_cache.registry_folder(&npm_registry_url)
};
let vfs =
load_npm_vfs(vfs_root_dir_path).context("Failed to load npm vfs.")?;
let vfs = load_npm_vfs(vfs_root_dir_path.clone())
.context("Failed to load npm vfs.")?;
let node_modules_path = if metadata.node_modules_dir {
Some(vfs.root().to_path_buf())
} else {
@ -328,6 +328,7 @@ pub async fn run(
};
(
Arc::new(DenoCompileFileSystem::new(vfs)) as Arc<dyn deno_fs::FileSystem>,
Some(vfs_root_dir_path),
node_modules_path,
Some(snapshot.into_valid()?),
)
@ -336,6 +337,7 @@ pub async fn run(
Arc::new(deno_fs::RealFs) as Arc<dyn deno_fs::FileSystem>,
None,
None,
None,
)
};
let npm_resolution = Arc::new(NpmResolution::from_serialized(
@ -395,9 +397,25 @@ pub async fn run(
}),
};
let permissions = PermissionsContainer::new(Permissions::from_options(
&metadata.permissions,
)?);
let permissions = {
let mut permissions = metadata.permissions;
// if running with an npm vfs, grant read access to it
if let Some(vfs_root) = vfs_root {
match &mut permissions.allow_read {
Some(vec) if vec.is_empty() => {
// do nothing, already granted
}
Some(vec) => {
vec.push(vfs_root);
}
None => {
permissions.allow_read = Some(vec![vfs_root]);
}
}
}
PermissionsContainer::new(Permissions::from_options(&permissions)?)
};
let worker_factory = CliMainWorkerFactory::new(
StorageKeyResolver::empty(),
npm_resolver.clone(),

View file

@ -912,11 +912,13 @@ testing[WILDCARD]this
fn compile_npm_file_system() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "compile/npm_fs/main.ts",
compile_args: vec!["-A"],
run_args: vec![],
output_file: "compile/npm_fs/main.out",
node_modules_dir: true,
input_name: Some("binary"),
expected_name: "binary",
run_args: vec![],
exit_code: 0,
});
}
@ -924,11 +926,13 @@ fn compile_npm_file_system() {
fn compile_npm_bin_esm() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:@denotest/bin/cli-esm",
compile_args: vec![],
run_args: vec!["this", "is", "a", "test"],
output_file: "npm/deno_run_esm.out",
node_modules_dir: false,
input_name: None,
expected_name: "cli-esm",
exit_code: 0,
});
}
@ -936,23 +940,55 @@ fn compile_npm_bin_esm() {
fn compile_npm_bin_cjs() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:@denotest/bin/cli-cjs",
compile_args: vec![],
run_args: vec!["this", "is", "a", "test"],
output_file: "npm/deno_run_cjs.out",
node_modules_dir: false,
input_name: None,
expected_name: "cli-cjs",
exit_code: 0,
});
}
#[test]
fn compile_npm_cowsay() {
fn compile_npm_cowsay_main() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:cowsay@1.5.0",
compile_args: vec!["--allow-read"],
run_args: vec!["Hello"],
output_file: "npm/deno_run_cowsay.out",
node_modules_dir: false,
input_name: None,
expected_name: "cowsay",
exit_code: 0,
});
}
#[test]
fn compile_npm_vfs_implicit_read_permissions() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "compile/vfs_implicit_read_permission/main.ts",
compile_args: vec![],
run_args: vec![],
output_file: "compile/vfs_implicit_read_permission/main.out",
node_modules_dir: false,
input_name: Some("binary"),
expected_name: "binary",
exit_code: 0,
});
}
#[test]
fn compile_npm_no_permissions() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:cowsay@1.5.0",
compile_args: vec![],
run_args: vec!["Hello"],
output_file: "npm/deno_run_cowsay_no_permissions.out",
node_modules_dir: false,
input_name: None,
expected_name: "cowsay",
exit_code: 1,
});
}
@ -960,11 +996,13 @@ fn compile_npm_cowsay() {
fn compile_npm_cowsay_explicit() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:cowsay@1.5.0/cowsay",
compile_args: vec!["--allow-read"],
run_args: vec!["Hello"],
output_file: "npm/deno_run_cowsay.out",
node_modules_dir: false,
input_name: None,
expected_name: "cowsay",
exit_code: 0,
});
}
@ -972,21 +1010,25 @@ fn compile_npm_cowsay_explicit() {
fn compile_npm_cowthink() {
run_npm_bin_compile_test(RunNpmBinCompileOptions {
input_specifier: "npm:cowsay@1.5.0/cowthink",
compile_args: vec!["--allow-read"],
run_args: vec!["Hello"],
output_file: "npm/deno_run_cowthink.out",
node_modules_dir: false,
input_name: None,
expected_name: "cowthink",
exit_code: 0,
});
}
struct RunNpmBinCompileOptions<'a> {
input_specifier: &'a str,
output_file: &'a str,
node_modules_dir: bool,
output_file: &'a str,
input_name: Option<&'a str>,
expected_name: &'a str,
run_args: Vec<&'a str>,
compile_args: Vec<&'a str>,
exit_code: i32,
}
fn run_npm_bin_compile_test(opts: RunNpmBinCompileOptions) {
@ -1006,7 +1048,9 @@ fn run_npm_bin_compile_test(opts: RunNpmBinCompileOptions) {
.to_string()
};
let mut args = vec!["compile".to_string(), "-A".to_string()];
let mut args = vec!["compile".to_string()];
args.extend(opts.compile_args.iter().map(|s| s.to_string()));
if opts.node_modules_dir {
args.push("--node-modules-dir".to_string());
@ -1036,4 +1080,5 @@ fn run_npm_bin_compile_test(opts: RunNpmBinCompileOptions) {
.args_vec(opts.run_args)
.run();
output.assert_matches_file(opts.output_file);
output.assert_exit_code(opts.exit_code);
}

View file

@ -0,0 +1,8 @@
__________________
< Hello from Deno! >
------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

View file

@ -0,0 +1,3 @@
// this will read a file from the package
import { say } from "npm:cowsay@1.5.0";
console.log(say({ text: "Hello from Deno!" }));

View file

@ -0,0 +1,2 @@
error: Uncaught PermissionDenied: Requires read access to <CWD>, run again with the --allow-read flag
[WILDCARD]

View file

@ -394,7 +394,7 @@ impl TestCommandBuilder {
(Some(combined_reader), None)
};
let mut process = command.spawn().unwrap();
let mut process = command.spawn().expect("Failed spawning command");
if let Some(input) = &self.stdin {
let mut p_stdin = process.stdin.take().unwrap();