1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-12-11 10:07:54 -05:00

fix(ops): add node.js env variable allowlist (#15893)

This commit allows the Node compatibility layer to skip
environment variable permission checks when --unstable
is passed and the variable name is one that Node uses.

Fixes: https://github.com/denoland/deno/issues/15890
This commit is contained in:
Colin Ihrig 2022-09-14 11:59:20 -04:00 committed by cjihrig
parent 3c6652d56b
commit e90f42cb2c
No known key found for this signature in database
GPG key ID: 7434390BDBE9B9C5
6 changed files with 42 additions and 1 deletions

View file

@ -2839,3 +2839,15 @@ itest!(nested_error {
output: "nested_error.ts.out", output: "nested_error.ts.out",
exit_code: 1, exit_code: 1,
}); });
itest!(node_env_var_allowlist_with_unstable_flag {
args: "run --unstable --no-prompt node_env_var_allowlist.ts",
output: "node_env_var_allowlist_with_unstable_flag.ts.out",
exit_code: 1,
});
itest!(node_env_var_allowlist_without_unstable_flag {
args: "run --no-prompt node_env_var_allowlist.ts",
output: "node_env_var_allowlist_without_unstable_flag.ts.out",
exit_code: 1,
});

View file

@ -0,0 +1,2 @@
console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
Deno.env.get("NOT_NODE_DEBUG");

View file

@ -0,0 +1,5 @@
ok
[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NOT_NODE_DEBUG", run again with the --allow-env flag
Deno.env.get("NOT_NODE_DEBUG");
^
at [WILDCARD]

View file

@ -0,0 +1,4 @@
[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NODE_DEBUG", run again with the --allow-env flag
console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
^
at [WILDCARD]

View file

@ -8,6 +8,7 @@ use deno_core::url::Url;
use deno_core::Extension; use deno_core::Extension;
use deno_core::OpState; use deno_core::OpState;
use once_cell::sync::Lazy; use once_cell::sync::Lazy;
use std::collections::HashSet;
use std::path::Path; use std::path::Path;
use std::path::PathBuf; use std::path::PathBuf;
use std::rc::Rc; use std::rc::Rc;
@ -59,6 +60,15 @@ pub static NODE_GLOBAL_THIS_NAME: Lazy<String> = Lazy::new(|| {
format!("__DENO_NODE_GLOBAL_THIS_{}__", seconds) format!("__DENO_NODE_GLOBAL_THIS_{}__", seconds)
}); });
pub static NODE_ENV_VAR_ALLOWLIST: Lazy<HashSet<String>> = Lazy::new(|| {
// The full list of environment variables supported by Node.js is available
// at https://nodejs.org/api/cli.html#environment-variables
let mut set = HashSet::new();
set.insert("NODE_DEBUG".to_string());
set.insert("NODE_OPTIONS".to_string());
set
});
struct Unstable(pub bool); struct Unstable(pub bool);
pub fn init<P: NodePermissions + 'static>( pub fn init<P: NodePermissions + 'static>(

View file

@ -8,6 +8,7 @@ use deno_core::url::Url;
use deno_core::Extension; use deno_core::Extension;
use deno_core::OpState; use deno_core::OpState;
use deno_core::{op, ExtensionBuilder}; use deno_core::{op, ExtensionBuilder};
use deno_node::NODE_ENV_VAR_ALLOWLIST;
use serde::Serialize; use serde::Serialize;
use std::collections::HashMap; use std::collections::HashMap;
use std::env; use std::env;
@ -99,7 +100,14 @@ fn op_get_env(
state: &mut OpState, state: &mut OpState,
key: String, key: String,
) -> Result<Option<String>, AnyError> { ) -> Result<Option<String>, AnyError> {
state.borrow_mut::<Permissions>().env.check(&key)?; let skip_permission_check =
state.borrow::<crate::ops::UnstableChecker>().unstable
&& NODE_ENV_VAR_ALLOWLIST.contains(&key);
if !skip_permission_check {
state.borrow_mut::<Permissions>().env.check(&key)?;
}
if key.is_empty() || key.contains(&['=', '\0'] as &[char]) { if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
return Err(type_error("Key contains invalid characters.")); return Err(type_error("Key contains invalid characters."));
} }