Skip to content

Commit

Permalink
fix(permissions): say to use --allow-run instead of --allow-all (#26842)
Browse files Browse the repository at this point in the history
For #26839
  • Loading branch information
dsherret authored Nov 12, 2024
1 parent 01f3451 commit 119910f
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 14 deletions.
19 changes: 11 additions & 8 deletions runtime/ops/process.rs
Original file line number Diff line number Diff line change
Expand Up @@ -756,14 +756,17 @@ fn check_run_permission(
if !env_var_names.is_empty() {
// we don't allow users to launch subprocesses with any LD_ or DYLD_*
// env vars set because this allows executing code (ex. LD_PRELOAD)
return Err(CheckRunPermissionError::Other(deno_core::error::custom_error(
"NotCapable",
format!(
"Requires --allow-all permissions to spawn subprocess with {} environment variable{}.",
env_var_names.join(", "),
if env_var_names.len() != 1 { "s" } else { "" }
)
)));
return Err(CheckRunPermissionError::Other(
deno_core::error::custom_error(
"NotCapable",
format!(
"Requires --allow-run permissions to spawn subprocess with {0} environment variable{1}. Alternatively, spawn with {2} environment variable{1} unset.",
env_var_names.join(", "),
if env_var_names.len() != 1 { "s" } else { "" },
if env_var_names.len() != 1 { "these" } else { "the" }
),
),
));
}
permissions.check_run(cmd, api_name)?;
}
Expand Down
4 changes: 2 additions & 2 deletions tests/specs/run/ld_preload/env_arg.out
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset.
[WILDCARD]
name: "NotCapable"
}
NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset.
[WILDCARD]
name: "NotCapable"
}
4 changes: 2 additions & 2 deletions tests/specs/run/ld_preload/env_arg.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
try {
new Deno.Command("echo", {
new Deno.Command("curl", {
env: {
"LD_PRELOAD": "./libpreload.so",
},
Expand All @@ -10,7 +10,7 @@ try {

try {
Deno.run({
cmd: ["echo"],
cmd: ["curl"],
env: {
"LD_PRELOAD": "./libpreload.so",
},
Expand Down
4 changes: 2 additions & 2 deletions tests/specs/run/ld_preload/set_with_allow_env.out
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
NotCapable: Requires --allow-all permissions to spawn subprocess with LD_PRELOAD environment variable.
NotCapable: Requires --allow-run permissions to spawn subprocess with LD_PRELOAD environment variable. Alternatively, spawn with the environment variable unset.
[WILDCARD]
name: "NotCapable"
}
NotCapable: Requires --allow-all permissions to spawn subprocess with DYLD_FALLBACK_LIBRARY_PATH, LD_PRELOAD environment variables.
NotCapable: Requires --allow-run permissions to spawn subprocess with DYLD_FALLBACK_LIBRARY_PATH, LD_PRELOAD environment variables. Alternatively, spawn with these environment variables unset.
[WILDCARD]
name: "NotCapable"
}

0 comments on commit 119910f

Please sign in to comment.