From d44011a69e0674acfa9c59bd7ad7f0523eb61d42 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Fri, 29 Oct 2021 17:05:55 -0400
Subject: [PATCH] fix(runtime): require full read and write permissions to
 create symlinks (#12554)

---
 cli/dts/lib.deno.ns.d.ts       |  4 ++--
 cli/tests/unit/symlink_test.ts | 28 ++++++++++++++++++++++++++++
 runtime/ops/fs.rs              |  6 ++++--
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/cli/dts/lib.deno.ns.d.ts b/cli/dts/lib.deno.ns.d.ts
index 2e1cae3068..a631315c3e 100644
--- a/cli/dts/lib.deno.ns.d.ts
+++ b/cli/dts/lib.deno.ns.d.ts
@@ -2347,7 +2347,7 @@ declare namespace Deno {
    * Deno.symlinkSync("old/name", "new/name");
    * ```
    *
-   * Requires `allow-write` permission. */
+   * Requires full `allow-read` and `allow-write` permissions. */
   export function symlinkSync(
     oldpath: string | URL,
     newpath: string | URL,
@@ -2364,7 +2364,7 @@ declare namespace Deno {
    * await Deno.symlink("old/name", "new/name");
    * ```
    *
-   * Requires `allow-write` permission. */
+   * Requires full `allow-read` and `allow-write` permissions. */
   export function symlink(
     oldpath: string | URL,
     newpath: string | URL,
diff --git a/cli/tests/unit/symlink_test.ts b/cli/tests/unit/symlink_test.ts
index f0db2d615d..782b031754 100644
--- a/cli/tests/unit/symlink_test.ts
+++ b/cli/tests/unit/symlink_test.ts
@@ -108,3 +108,31 @@ unitTest(
     );
   },
 );
+
+unitTest(
+  { permissions: { read: true, write: ["."] } },
+  async function symlinkNoFullWritePermissions() {
+    await assertRejects(
+      () => Deno.symlink("old", "new"),
+      Deno.errors.PermissionDenied,
+    );
+    assertThrows(
+      () => Deno.symlinkSync("old", "new"),
+      Deno.errors.PermissionDenied,
+    );
+  },
+);
+
+unitTest(
+  { permissions: { read: ["."], write: true } },
+  async function symlinkNoFullReadPermissions() {
+    await assertRejects(
+      () => Deno.symlink("old", "new"),
+      Deno.errors.PermissionDenied,
+    );
+    assertThrows(
+      () => Deno.symlinkSync("old", "new"),
+      Deno.errors.PermissionDenied,
+    );
+  },
+);
diff --git a/runtime/ops/fs.rs b/runtime/ops/fs.rs
index c3e9215a28..4c29898d7b 100644
--- a/runtime/ops/fs.rs
+++ b/runtime/ops/fs.rs
@@ -1370,7 +1370,8 @@ fn op_symlink_sync(
   let oldpath = PathBuf::from(&args.oldpath);
   let newpath = PathBuf::from(&args.newpath);
 
-  state.borrow_mut::<Permissions>().write.check(&newpath)?;
+  state.borrow_mut::<Permissions>().write.check_all()?;
+  state.borrow_mut::<Permissions>().read.check_all()?;
 
   debug!(
     "op_symlink_sync {} {}",
@@ -1432,7 +1433,8 @@ async fn op_symlink_async(
 
   {
     let mut state = state.borrow_mut();
-    state.borrow_mut::<Permissions>().write.check(&newpath)?;
+    state.borrow_mut::<Permissions>().write.check_all()?;
+    state.borrow_mut::<Permissions>().read.check_all()?;
   }
 
   tokio::task::spawn_blocking(move || {