fix(compile): relative permissions should be retained as relative (de…

…noland#23719) Closes denoland#23715
eryue0220 · May 6, 2024 · 2dcbef2 · 2dcbef2
1 parent f698bc7
commit 2dcbef2
Show file tree

Hide file tree

Showing 12 changed files with 624 additions and 364 deletions.
diff --git a/cli/args/flags.rs b/cli/args/flags.rs
diff --git a/cli/args/mod.rs b/cli/args/mod.rs
@@ -1524,10 +1524,6 @@ impl CliOptions {
  &self.flags.cache_path
  }
 
- pub fn no_prompt(&self) -> bool {
- resolve_no_prompt(&self.flags)
- }
-
  pub fn no_remote(&self) -> bool {
  self.flags.no_remote
  }
@@ -1540,45 +1536,12 @@ impl CliOptions {
  self.flags.config_flag == deno_config::ConfigFlag::Disabled
  }
 
- pub fn permissions_options(&self) -> PermissionsOptions {
- PermissionsOptions {
- allow_all: self.flags.allow_all,
- allow_env: self.flags.allow_env.clone(),
- deny_env: self.flags.deny_env.clone(),
- allow_hrtime: self.flags.allow_hrtime,
- deny_hrtime: self.flags.deny_hrtime,
- allow_net: self.flags.allow_net.clone(),
- deny_net: self.flags.deny_net.clone(),
- allow_ffi: convert_option_str_to_path_buf(
- &self.flags.allow_ffi,
- self.initial_cwd(),
- ),
- deny_ffi: convert_option_str_to_path_buf(
- &self.flags.deny_ffi,
- self.initial_cwd(),
- ),
- allow_read: convert_option_str_to_path_buf(
- &self.flags.allow_read,
- self.initial_cwd(),
- ),
- deny_read: convert_option_str_to_path_buf(
- &self.flags.deny_read,
- self.initial_cwd(),
- ),
- allow_run: self.flags.allow_run.clone(),
- deny_run: self.flags.deny_run.clone(),
- allow_sys: self.flags.allow_sys.clone(),
- deny_sys: self.flags.deny_sys.clone(),
- allow_write: convert_option_str_to_path_buf(
- &self.flags.allow_write,
- self.initial_cwd(),
- ),
- deny_write: convert_option_str_to_path_buf(
- &self.flags.deny_write,
- self.initial_cwd(),
- ),
- prompt: !self.no_prompt(),
- }
+ pub fn permission_flags(&self) -> &PermissionFlags {
+ &self.flags.permissions
+ }
+
+ pub fn permissions_options(&self) -> Result<PermissionsOptions, AnyError> {
+ self.flags.permissions.to_options(Some(&self.initial_cwd))
  }
 
  pub fn reload_flag(&self) -> bool {
@@ -1871,7 +1834,7 @@ fn resolve_files(
 }
 
 /// Resolves the no_prompt value based on the cli flags and environment.
-pub fn resolve_no_prompt(flags: &Flags) -> bool {
+pub fn resolve_no_prompt(flags: &PermissionFlags) -> bool {
  flags.no_prompt || has_flag_env_var("DENO_NO_PROMPT")
 }
 
@@ -1887,20 +1850,6 @@ pub fn npm_pkg_req_ref_to_binary_command(
  binary_name.to_string()
 }
 
-fn convert_option_str_to_path_buf(
- flag: &Option<Vec<String>>,
- initial_cwd: &Path,
-) -> Option<Vec<PathBuf>> {
- if let Some(allow_ffi_paths) = &flag {
- let mut full_paths = Vec::new();
- full_paths
- .extend(allow_ffi_paths.iter().map(|path| initial_cwd.join(path)));
- Some(full_paths)
- } else {
- None
- }
-}
-
 #[cfg(test)]
 mod test {
  use crate::util::fs::FileCollector;

diff --git a/cli/lsp/testing/execution.rs b/cli/lsp/testing/execution.rs
@@ -218,7 +218,7 @@ impl TestRun {
  // `PermissionsContainer` - otherwise granting/revoking permissions in one
  // file would have impact on other files, which is undesirable.
  let permissions =
- Permissions::from_options(&factory.cli_options().permissions_options())?;
+ Permissions::from_options(&factory.cli_options().permissions_options()?)?;
  test::check_specifiers(
  factory.cli_options(),
  factory.file_fetcher()?,

diff --git a/cli/standalone/binary.rs b/cli/standalone/binary.rs
@@ -24,7 +24,6 @@ use deno_core::futures::AsyncSeekExt;
 use deno_core::serde_json;
 use deno_core::url::Url;
 use deno_npm::NpmSystemInfo;
-use deno_runtime::permissions::PermissionsOptions;
 use deno_semver::package::PackageReq;
 use deno_semver::VersionReqSpecifierParseError;
 use log::Level;
@@ -37,6 +36,7 @@ use crate::args::CaData;
 use crate::args::CliOptions;
 use crate::args::CompileFlags;
 use crate::args::PackageJsonDepsProvider;
+use crate::args::PermissionFlags;
 use crate::args::UnstableConfig;
 use crate::cache::DenoDir;
 use crate::file_fetcher::FileFetcher;
@@ -134,7 +134,7 @@ pub enum NodeModules {
 pub struct Metadata {
  pub argv: Vec<String>,
  pub seed: Option<u64>,
- pub permissions: PermissionsOptions,
+ pub permissions: PermissionFlags,
  pub location: Option<Url>,
  pub v8_flags: Vec<String>,
  pub log_level: Option<Level>,
@@ -621,7 +621,7 @@ impl<'a> DenoCompileBinaryWriter<'a> {
  argv: compile_flags.args.clone(),
  seed: cli_options.seed(),
  location: cli_options.location_flag().clone(),
- permissions: cli_options.permissions_options(),
+ permissions: cli_options.permission_flags().clone(),
  v8_flags: cli_options.v8_flags().clone(),
  unsafely_ignore_certificate_errors: cli_options
  .unsafely_ignore_certificate_errors()

diff --git a/cli/standalone/mod.rs b/cli/standalone/mod.rs
@@ -499,7 +499,9 @@ pub async fn run(
  };
 
  let permissions = {
- let mut permissions = metadata.permissions;
+ let maybe_cwd = std::env::current_dir().ok();
+ let mut permissions =
+ metadata.permissions.to_options(maybe_cwd.as_deref())?;
  // if running with an npm vfs, grant read access to it
  if let Some(vfs_root) = maybe_vfs_root {
  match &mut permissions.allow_read {

diff --git a/cli/tools/bench/mod.rs b/cli/tools/bench/mod.rs
@@ -433,7 +433,7 @@ pub async fn run_benchmarks(
  // `PermissionsContainer` - otherwise granting/revoking permissions in one
  // file would have impact on other files, which is undesirable.
  let permissions =
- Permissions::from_options(&cli_options.permissions_options())?;
+ Permissions::from_options(&cli_options.permissions_options()?)?;
 
  let specifiers = collect_specifiers(
  bench_options.files,
@@ -519,7 +519,7 @@ pub async fn run_benchmarks_with_watch(
  // `PermissionsContainer` - otherwise granting/revoking permissions in one
  // file would have impact on other files, which is undesirable.
  let permissions =
- Permissions::from_options(&cli_options.permissions_options())?;
+ Permissions::from_options(&cli_options.permissions_options()?)?;
 
  let graph = module_graph_creator
  .create_graph(graph_kind, bench_modules)

diff --git a/cli/tools/installer.rs b/cli/tools/installer.rs
@@ -426,7 +426,7 @@ async fn resolve_shim_data(
  executable_args.push("--cached-only".to_string());
  }
 
- if resolve_no_prompt(flags) {
+ if resolve_no_prompt(&flags.permissions) {
  executable_args.push("--no-prompt".to_string());
  }
 
@@ -527,6 +527,7 @@ fn is_in_path(dir: &Path) -> bool {
 mod tests {
  use super::*;
 
+ use crate::args::PermissionFlags;
  use crate::args::UninstallFlagsGlobal;
  use crate::args::UnstableConfig;
  use crate::util::fs::canonicalize_path;
@@ -878,8 +879,11 @@ mod tests {
  async fn install_with_flags() {
  let shim_data = resolve_shim_data(
  &Flags {
- allow_net: Some(vec![]),
- allow_read: Some(vec![]),
+ permissions: PermissionFlags {
+ allow_net: Some(vec![]),
+ allow_read: Some(vec![]),
+ ..Default::default()
+ },
  type_check_mode: TypeCheckMode::None,
  log_level: Some(Level::Error),
  ..Flags::default()
@@ -914,7 +918,10 @@ mod tests {
  async fn install_prompt() {
  let shim_data = resolve_shim_data(
  &Flags {
- no_prompt: true,
+ permissions: PermissionFlags {
+ no_prompt: true,
+ ..Default::default()
+ },
  ..Flags::default()
  },
  &InstallFlagsGlobal {
@@ -943,7 +950,10 @@ mod tests {
  async fn install_allow_all() {
  let shim_data = resolve_shim_data(
  &Flags {
- allow_all: true,
+ permissions: PermissionFlags {
+ allow_all: true,
+ ..Default::default()
+ },
  ..Flags::default()
  },
  &InstallFlagsGlobal {
@@ -973,7 +983,10 @@ mod tests {
  let temp_dir = canonicalize_path(&env::temp_dir()).unwrap();
  let shim_data = resolve_shim_data(
  &Flags {
- allow_all: true,
+ permissions: PermissionFlags {
+ allow_all: true,
+ ..Default::default()
+ },
  ..Flags::default()
  },
  &InstallFlagsGlobal {
@@ -1006,7 +1019,10 @@ mod tests {
  async fn install_npm_no_lock() {
  let shim_data = resolve_shim_data(
  &Flags {
- allow_all: true,
+ permissions: PermissionFlags {
+ allow_all: true,
+ ..Default::default()
+ },
  no_lock: true,
  ..Flags::default()
  },

diff --git a/cli/tools/repl/mod.rs b/cli/tools/repl/mod.rs
@@ -157,7 +157,7 @@ pub async fn run(flags: Flags, repl_flags: ReplFlags) -> Result<i32, AnyError> {
  let cli_options = factory.cli_options();
  let main_module = cli_options.resolve_main_module()?;
  let permissions = PermissionsContainer::new(Permissions::from_options(
- &cli_options.permissions_options(),
+ &cli_options.permissions_options()?,
  )?);
  let npm_resolver = factory.npm_resolver().await?.clone();
  let resolver = factory.resolver().await?.clone();

diff --git a/cli/tools/run/mod.rs b/cli/tools/run/mod.rs
@@ -65,7 +65,7 @@ To grant permissions, set them before the script argument. For example:
  maybe_npm_install(&factory).await?;
 
  let permissions = PermissionsContainer::new(Permissions::from_options(
- &cli_options.permissions_options(),
+ &cli_options.permissions_options()?,
  )?);
  let worker_factory = factory.create_cli_main_worker_factory().await?;
  let mut worker = worker_factory
@@ -86,7 +86,7 @@ pub async fn run_from_stdin(flags: Flags) -> Result<i32, AnyError> {
  let file_fetcher = factory.file_fetcher()?;
  let worker_factory = factory.create_cli_main_worker_factory().await?;
  let permissions = PermissionsContainer::new(Permissions::from_options(
- &cli_options.permissions_options(),
+ &cli_options.permissions_options()?,
  )?);
  let mut source = Vec::new();
  std::io::stdin().read_to_end(&mut source)?;
@@ -132,7 +132,7 @@ async fn run_with_watch(
  let _ = watcher_communicator.watch_paths(cli_options.watch_paths());
 
  let permissions = PermissionsContainer::new(Permissions::from_options(
- &cli_options.permissions_options(),
+ &cli_options.permissions_options()?,
  )?);
  let mut worker = factory
  .create_cli_main_worker_factory()
@@ -182,7 +182,7 @@ pub async fn eval_command(
  });
 
  let permissions = PermissionsContainer::new(Permissions::from_options(
- &cli_options.permissions_options(),
+ &cli_options.permissions_options()?,
  )?);
  let worker_factory = factory.create_cli_main_worker_factory().await?;
  let mut worker = worker_factory

diff --git a/cli/tools/test/mod.rs b/cli/tools/test/mod.rs
@@ -1704,7 +1704,7 @@ pub async fn run_tests(
  // `PermissionsContainer` - otherwise granting/revoking permissions in one
  // file would have impact on other files, which is undesirable.
  let permissions =
- Permissions::from_options(&cli_options.permissions_options())?;
+ Permissions::from_options(&cli_options.permissions_options()?)?;
  let log_level = cli_options.log_level();
 
  let specifiers_with_mode = fetch_specifiers_with_test_mode(
@@ -1834,7 +1834,7 @@ pub async fn run_tests_with_watch(
  }?;
 
  let permissions =
- Permissions::from_options(&cli_options.permissions_options())?;
+ Permissions::from_options(&cli_options.permissions_options()?)?;
  let graph = module_graph_creator
  .create_graph(graph_kind, test_modules)
  .await?;

diff --git a/tests/specs/compile/relative_permissions/__test__.jsonc b/tests/specs/compile/relative_permissions/__test__.jsonc
@@ -0,0 +1,26 @@
+{
+ "tempDir": true,
+ "steps": [{
+ "if": "unix",
+ "args": "compile --output=main --no-prompt --allow-read=a.txt main.ts",
+ "output": "[WILDCARD]"
+ }, {
+ "if": "unix",
+ "commandName": "./main",
+ "args": [],
+ "output": "No such file[WILDCARD]"
+ }, {
+ "if": "unix",
+ "args": [
+ "eval",
+ "Deno.mkdirSync('sub_dir');"
+ ],
+ "output": "[WILDCARD]"
+ }, {
+ "if": "unix",
+ "commandName": "../main",
+ "cwd": "sub_dir",
+ "args": [],
+ "output": "No such file[WILDCARD]"
+ }]
+}
diff --git a/tests/specs/compile/relative_permissions/main.ts b/tests/specs/compile/relative_permissions/main.ts
@@ -0,0 +1,5 @@
+try {
+ Deno.readTextFileSync("a.txt");
+} catch (err) {
+ console.log(err.message);
+}