mirror of
https://github.com/denoland/deno.git
synced 2024-12-30 02:59:11 -05:00
5504acea67
This replaces `--allow-net` for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports. By default, this has a value of `--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`, but that can be overridden by providing a different set of hosts. Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because `fresh.deno.dev:443` will be added to the list of allowed imports: ```ts deno run -A -r https://fresh.deno.dev ``` --------- Co-authored-by: David Sherret <dsherret@gmail.com>
54 lines
1.1 KiB
TypeScript
54 lines
1.1 KiB
TypeScript
try {
|
|
Deno.removeSync("./lock_write_fetch.json");
|
|
} catch {
|
|
// pass
|
|
}
|
|
|
|
const fetchProc = await new Deno.Command(Deno.execPath(), {
|
|
stdout: "null",
|
|
stderr: "null",
|
|
args: [
|
|
"cache",
|
|
"--allow-import",
|
|
"--reload",
|
|
"--lock=lock_write_fetch.json",
|
|
"--cert=tls/RootCA.pem",
|
|
"run/https_import.ts",
|
|
],
|
|
}).output();
|
|
|
|
console.log(`fetch code: ${fetchProc.code}`);
|
|
|
|
const fetchCheckProc = await new Deno.Command(Deno.execPath(), {
|
|
stdout: "null",
|
|
stderr: "null",
|
|
args: [
|
|
"cache",
|
|
"--allow-import",
|
|
"--lock=lock_write_fetch.json",
|
|
"--cert=tls/RootCA.pem",
|
|
"run/https_import.ts",
|
|
],
|
|
}).output();
|
|
|
|
console.log(`fetch check code: ${fetchCheckProc.code}`);
|
|
|
|
Deno.removeSync("./lock_write_fetch.json");
|
|
|
|
const runProc = await new Deno.Command(Deno.execPath(), {
|
|
stdout: "null",
|
|
stderr: "null",
|
|
args: [
|
|
"run",
|
|
"--allow-import",
|
|
"--lock=lock_write_fetch.json",
|
|
"--allow-read",
|
|
"--cert=tls/RootCA.pem",
|
|
"run/https_import.ts",
|
|
],
|
|
}).output();
|
|
|
|
console.log(`run code: ${runProc.code}`);
|
|
|
|
await Deno.stat("./lock_write_fetch.json");
|
|
Deno.removeSync("./lock_write_fetch.json");
|