Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: lock down allow-run permissions more #25370

Merged
merged 27 commits into from
Sep 4, 2024

Conversation

dsherret
Copy link
Member

@dsherret dsherret commented Sep 2, 2024

--allow-run even with an allow list has essentially been --allow-all... this locks it down more.

  1. Resolves allow list for --allow-run= on startup to an absolute path, then uses these paths when evaluating if a command can execute. Also, adds these paths to --deny-write
  2. Resolves the environment (cwd and env vars) before evaluating permissions and before executing a command. Then uses this environment to evaluate the permissions and then evaluate the command.

This also fixes #25171 but I'll open a separate PR to add tests for that and close that issue.

Copy link
Member

@bartlomieju bartlomieju left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks okay, other than than one problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Windows platform Deno.command cwd does not take effect
2 participants