mirror of
https://github.com/denoland/deno.git
synced 2024-12-11 10:07:54 -05:00
fix(ops): add node.js env variable allowlist (#15893)
This commit allows the Node compatibility layer to skip environment variable permission checks when --unstable is passed and the variable name is one that Node uses. Fixes: https://github.com/denoland/deno/issues/15890
This commit is contained in:
parent
3c6652d56b
commit
e90f42cb2c
6 changed files with 42 additions and 1 deletions
|
@ -2839,3 +2839,15 @@ itest!(nested_error {
|
|||
output: "nested_error.ts.out",
|
||||
exit_code: 1,
|
||||
});
|
||||
|
||||
itest!(node_env_var_allowlist_with_unstable_flag {
|
||||
args: "run --unstable --no-prompt node_env_var_allowlist.ts",
|
||||
output: "node_env_var_allowlist_with_unstable_flag.ts.out",
|
||||
exit_code: 1,
|
||||
});
|
||||
|
||||
itest!(node_env_var_allowlist_without_unstable_flag {
|
||||
args: "run --no-prompt node_env_var_allowlist.ts",
|
||||
output: "node_env_var_allowlist_without_unstable_flag.ts.out",
|
||||
exit_code: 1,
|
||||
});
|
||||
|
|
2
cli/tests/testdata/node_env_var_allowlist.ts
vendored
Normal file
2
cli/tests/testdata/node_env_var_allowlist.ts
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
|
||||
Deno.env.get("NOT_NODE_DEBUG");
|
5
cli/tests/testdata/node_env_var_allowlist_with_unstable_flag.ts.out
vendored
Normal file
5
cli/tests/testdata/node_env_var_allowlist_with_unstable_flag.ts.out
vendored
Normal file
|
@ -0,0 +1,5 @@
|
|||
ok
|
||||
[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NOT_NODE_DEBUG", run again with the --allow-env flag
|
||||
Deno.env.get("NOT_NODE_DEBUG");
|
||||
^
|
||||
at [WILDCARD]
|
4
cli/tests/testdata/node_env_var_allowlist_without_unstable_flag.ts.out
vendored
Normal file
4
cli/tests/testdata/node_env_var_allowlist_without_unstable_flag.ts.out
vendored
Normal file
|
@ -0,0 +1,4 @@
|
|||
[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NODE_DEBUG", run again with the --allow-env flag
|
||||
console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
|
||||
^
|
||||
at [WILDCARD]
|
|
@ -8,6 +8,7 @@ use deno_core::url::Url;
|
|||
use deno_core::Extension;
|
||||
use deno_core::OpState;
|
||||
use once_cell::sync::Lazy;
|
||||
use std::collections::HashSet;
|
||||
use std::path::Path;
|
||||
use std::path::PathBuf;
|
||||
use std::rc::Rc;
|
||||
|
@ -59,6 +60,15 @@ pub static NODE_GLOBAL_THIS_NAME: Lazy<String> = Lazy::new(|| {
|
|||
format!("__DENO_NODE_GLOBAL_THIS_{}__", seconds)
|
||||
});
|
||||
|
||||
pub static NODE_ENV_VAR_ALLOWLIST: Lazy<HashSet<String>> = Lazy::new(|| {
|
||||
// The full list of environment variables supported by Node.js is available
|
||||
// at https://nodejs.org/api/cli.html#environment-variables
|
||||
let mut set = HashSet::new();
|
||||
set.insert("NODE_DEBUG".to_string());
|
||||
set.insert("NODE_OPTIONS".to_string());
|
||||
set
|
||||
});
|
||||
|
||||
struct Unstable(pub bool);
|
||||
|
||||
pub fn init<P: NodePermissions + 'static>(
|
||||
|
|
|
@ -8,6 +8,7 @@ use deno_core::url::Url;
|
|||
use deno_core::Extension;
|
||||
use deno_core::OpState;
|
||||
use deno_core::{op, ExtensionBuilder};
|
||||
use deno_node::NODE_ENV_VAR_ALLOWLIST;
|
||||
use serde::Serialize;
|
||||
use std::collections::HashMap;
|
||||
use std::env;
|
||||
|
@ -99,7 +100,14 @@ fn op_get_env(
|
|||
state: &mut OpState,
|
||||
key: String,
|
||||
) -> Result<Option<String>, AnyError> {
|
||||
state.borrow_mut::<Permissions>().env.check(&key)?;
|
||||
let skip_permission_check =
|
||||
state.borrow::<crate::ops::UnstableChecker>().unstable
|
||||
&& NODE_ENV_VAR_ALLOWLIST.contains(&key);
|
||||
|
||||
if !skip_permission_check {
|
||||
state.borrow_mut::<Permissions>().env.check(&key)?;
|
||||
}
|
||||
|
||||
if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
|
||||
return Err(type_error("Key contains invalid characters."));
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue