feat(deno): support for custom deny permissions (#286)

src/bin/index.ts

@@ -27,6 +27,7 @@ const killRange = getArg('kill-range');
 const killPID = getArg('kill-pid');
 const concurrency = Number(getArg('concurrency')) || undefined;
 const denoAllow = getSubArg('deno-allow');
+const denoDeny = getSubArg('deno-deny');
 
 // Multiple arguments with values or not
 // TODO (Custom Args)
@@ -82,6 +83,7 @@ if (hasArg('log-success'))
     // arguments: args.length > 0 ? args : undefined,
     deno: {
       allow: denoAllow,
+      deny: denoDeny,
     },
   });
 })();

src/helpers/runner.ts

@@ -28,7 +28,13 @@ export const runner = (filename: string, configs?: Configs): string[] => {
           '--allow-net', // Create Service
         ];
 
-    return ['deno', 'run', ...denoAllow];
+    const denoDeny = configs?.deno?.deny
+      ? configs.deno.deny
+          .map((deny) => (deny ? `--deny-${deny}` : ''))
+          .filter((deny) => deny)
+      : [];
+
+    return ['deno', 'run', ...denoAllow, ...denoDeny];
   }
 
   // Node.js

test/unit/deno/allow.test.ts

@@ -1,7 +1,7 @@
 import { assert, describe, test } from '../../../src/index.js';
 import { runner } from '../../../src/helpers/runner.js';
 
-describe('Deno Security Arguments', { background: false, icon: '🔬' });
+describe('Deno Permissions (Allow)', { background: false, icon: '🔬' });
 
 test(() => {
   assert.deepStrictEqual(
@@ -45,10 +45,10 @@ test(() => {
     runner('', {
       platform: 'deno',
       deno: {
-        allow: ['read="file.js"', 'env'],
+        allow: ['read=file.js', 'env'],
       },
     }),
-    ['deno', 'run', '--allow-read="file.js"', '--allow-env'],
+    ['deno', 'run', '--allow-read=file.js', '--allow-env'],
     'Custom Permissions per Files'
   );
 

test/unit/deno/deny.test.ts

@@ -0,0 +1,61 @@
+import { assert, describe, test } from '../../../src/index.js';
+import { runner } from '../../../src/helpers/runner.js';
+
+describe('Deno Permissions (Deny)', { background: false, icon: '🔬' });
+
+test(() => {
+  assert.deepStrictEqual(
+    runner('', {
+      platform: 'deno',
+      deno: {
+        allow: [],
+        deny: ['read'],
+      },
+    }),
+    ['deno', 'run', '--deny-read'],
+    'Custom Permission'
+  );
+
+  assert.deepStrictEqual(
+    runner('', {
+      platform: 'deno',
+      deno: {
+        allow: [],
+        deny: ['read', 'env'],
+      },
+    }),
+    ['deno', 'run', '--deny-read', '--deny-env'],
+    'Custom Permissions'
+  );
+
+  assert.deepStrictEqual(
+    runner('', {
+      platform: 'deno',
+      deno: {
+        allow: [],
+        deny: ['read=file.js', 'env'],
+      },
+    }),
+    ['deno', 'run', '--deny-read=file.js', '--deny-env'],
+    'Custom Permissions per Files'
+  );
+
+  assert.deepStrictEqual(
+    runner('', {
+      platform: 'deno',
+      deno: {
+        allow: ['read=file.js', 'net'],
+        deny: ['net=server.com', 'env'],
+      },
+    }),
+    [
+      'deno',
+      'run',
+      '--allow-read=file.js',
+      '--allow-net',
+      '--deny-net=server.com',
+      '--deny-env',
+    ],
+    'Mixed Permissions'
+  );
+});

website/docs/documentation/poku/options/deno.mdx

@@ -57,3 +57,39 @@ Clear all permissions:
 ```bash
 npx poku --deno-allow='' ./test
 ```
+
+## `deny`
+
+> `poku(targetPaths: string | string[], configs?: Configs)`
+>
+> `deny: string[]`
+
+Change permissions for **Deno**.
+
+### API (_in-code_)
+
+```ts
+poku(['...'], {
+  deno: {
+    deny: ['write', 'sys' /* ... */],
+  },
+});
+```
+
+```ts
+poku(['...'], {
+  deno: {
+    deny: ['env=HOME', 'write' /* ... */],
+  },
+});
+```
+
+### CLI
+
+```bash
+npx poku --deno-deny='write, sys' ./test
+```
+
+```bash
+npx poku --deno-deny='env=HOME, write' ./test
+```