Enforce permissions on kill(), homeDir() and execPath (#2723)

2025-03-03 09:31:22 -05:00 · 2019-08-06 06:45:36 +01:00 · 2019-08-06 06:45:36 +01:00 · 11c850af42
commit 11c850af42
parent 046cccfe17
4 changed files with 24 additions and 3 deletions
--- a/cli/ops.rs
+++ b/cli/ops.rs
@ -1053,10 +1053,12 @@ fn op_close(
 }

 fn op_kill(
-  _state: &ThreadSafeState,
+  state: &ThreadSafeState,
  base: &msg::Base<'_>,
  data: Option<PinnedBuf>,
 ) -> CliOpResult {
+  state.check_run()?;
+
  assert!(data.is_none());
  let inner = base.inner_as_kill().unwrap();
  let pid = inner.pid();
--- a/js/os.ts
+++ b/js/os.ts
@ -13,7 +13,9 @@ export let pid: number;
 /** Reflects the NO_COLOR environment variable: https://no-color.org/ */
 export let noColor: boolean;

-/** Path to the current deno process's executable file. */
+/** Path to the current deno process's executable file.
+ * Requires the `--allow-env` flag, otherwise it'll be set to an empty `string`.
+ */
 export let execPath: string;

 function setGlobals(pid_: number, noColor_: boolean, execPath_: string): void {
@ -145,7 +147,7 @@ export function start(

 /**
 * Returns the current user's home directory.
- * Does not require elevated privileges.
+ * Requires the `--allow-env` flag.
 */
 export function homeDir(): string {
  const builder = flatbuffers.createBuilder();
--- a/js/process.ts
+++ b/js/process.ts
@ -55,6 +55,7 @@ async function runStatus(rid: number): Promise<ProcessStatus> {
 /** Send a signal to process under given PID. Unix only at this moment.
 * If pid is negative, the signal will be sent to the process group identified
 * by -pid.
+ * Requires the `--allow-run` flag.
 */
 export function kill(pid: number, signo: number): void {
  const builder = flatbuffers.createBuilder();
--- a/js/process_test.ts
+++ b/js/process_test.ts
@ -321,6 +321,22 @@ test(function signalNumbers(): void {

 // Ignore signal tests on windows for now...
 if (Deno.platform.os !== "win") {
+  test(function killPermissions(): void {
+    let caughtError = false;
+    try {
+      // Unlike the other test cases, we don't have permission to spawn a
+      // subprocess we can safely kill. Instead we send SIGCONT to the current
+      // process - assuming that Deno does not have a special handler set for it
+      // and will just continue even if a signal is erroneously sent.
+      Deno.kill(Deno.pid, Deno.Signal.SIGCONT);
+    } catch (e) {
+      caughtError = true;
+      assertEquals(e.kind, Deno.ErrorKind.PermissionDenied);
+      assertEquals(e.name, "PermissionDenied");
+    }
+    assert(caughtError);
+  });
+
  testPerm({ run: true }, async function killSuccess(): Promise<void> {
    const p = run({
      args: ["python", "-c", "from time import sleep; sleep(10000)"]