From 7ae0858fdae30b20e9ae852ac9ec32ccdef21e5a Mon Sep 17 00:00:00 2001
From: Colin Ihrig <cjihrig@gmail.com>
Date: Thu, 19 May 2022 17:45:09 -0400
Subject: [PATCH] fix(runtime): improve permission descriptor validation
 (#14676)

This commit improves the permission descriptor validation by
explicitly checking for object types and using optional
chaining when creating error messages in case the descriptor
is not an object.

Fixes: https://github.com/denoland/deno/issues/14675
---
 cli/tests/unit/permissions_test.ts | 15 +++++++++++++++
 runtime/js/10_permissions.js       | 11 +++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/cli/tests/unit/permissions_test.ts b/cli/tests/unit/permissions_test.ts
index 006bad2494..458ef2f28e 100644
--- a/cli/tests/unit/permissions_test.ts
+++ b/cli/tests/unit/permissions_test.ts
@@ -71,3 +71,18 @@ Deno.test(async function permissionURL() {
     command: new URL(".", import.meta.url),
   });
 });
+
+Deno.test(async function permissionDescriptorValidation() {
+  for (const value of [undefined, null, {}]) {
+    for (const method of ["query", "request", "revoke"]) {
+      await assertRejects(
+        async () => {
+          // deno-lint-ignore no-explicit-any
+          await (Deno.permissions as any)[method](value as any);
+        },
+        TypeError,
+        '"undefined" is not a valid permission name',
+      );
+    }
+  }
+});
diff --git a/runtime/js/10_permissions.js b/runtime/js/10_permissions.js
index 1a9be1f275..66c68bbf0a 100644
--- a/runtime/js/10_permissions.js
+++ b/runtime/js/10_permissions.js
@@ -149,7 +149,7 @@
    * @returns {desc is Deno.PermissionDescriptor}
    */
   function isValidDescriptor(desc) {
-    return desc && desc !== null &&
+    return typeof desc === "object" && desc !== null &&
       ArrayPrototypeIncludes(permissionNames, desc.name);
   }
 
@@ -164,7 +164,8 @@
       if (!isValidDescriptor(desc)) {
         return PromiseReject(
           new TypeError(
-            `The provided value "${desc.name}" is not a valid permission name.`,
+            `The provided value "${desc
+              ?.name}" is not a valid permission name.`,
           ),
         );
       }
@@ -185,7 +186,8 @@
       if (!isValidDescriptor(desc)) {
         return PromiseReject(
           new TypeError(
-            `The provided value "${desc.name}" is not a valid permission name.`,
+            `The provided value "${desc
+              ?.name}" is not a valid permission name.`,
           ),
         );
       }
@@ -204,7 +206,8 @@
       if (!isValidDescriptor(desc)) {
         return PromiseReject(
           new TypeError(
-            `The provided value "${desc.name}" is not a valid permission name.`,
+            `The provided value "${desc
+              ?.name}" is not a valid permission name.`,
           ),
         );
       }