diff --git a/src/bin/index.ts b/src/bin/index.ts index 9265f123..fba6abb2 100644 --- a/src/bin/index.ts +++ b/src/bin/index.ts @@ -27,6 +27,7 @@ const killRange = getArg('kill-range'); const killPID = getArg('kill-pid'); const concurrency = Number(getArg('concurrency')) || undefined; const denoAllow = getSubArg('deno-allow'); +const denoDeny = getSubArg('deno-deny'); // Multiple arguments with values or not // TODO (Custom Args) @@ -82,6 +83,7 @@ if (hasArg('log-success')) // arguments: args.length > 0 ? args : undefined, deno: { allow: denoAllow, + deny: denoDeny, }, }); })(); diff --git a/src/helpers/runner.ts b/src/helpers/runner.ts index 8eb66527..2d52a2c8 100644 --- a/src/helpers/runner.ts +++ b/src/helpers/runner.ts @@ -28,7 +28,13 @@ export const runner = (filename: string, configs?: Configs): string[] => { '--allow-net', // Create Service ]; - return ['deno', 'run', ...denoAllow]; + const denoDeny = configs?.deno?.deny + ? configs.deno.deny + .map((deny) => (deny ? `--deny-${deny}` : '')) + .filter((deny) => deny) + : []; + + return ['deno', 'run', ...denoAllow, ...denoDeny]; } // Node.js diff --git a/test/unit/deno/allow.test.ts b/test/unit/deno/allow.test.ts index 6a31f54c..a23f620b 100644 --- a/test/unit/deno/allow.test.ts +++ b/test/unit/deno/allow.test.ts @@ -1,7 +1,7 @@ import { assert, describe, test } from '../../../src/index.js'; import { runner } from '../../../src/helpers/runner.js'; -describe('Deno Security Arguments', { background: false, icon: '🔬' }); +describe('Deno Permissions (Allow)', { background: false, icon: '🔬' }); test(() => { assert.deepStrictEqual( @@ -45,10 +45,10 @@ test(() => { runner('', { platform: 'deno', deno: { - allow: ['read="file.js"', 'env'], + allow: ['read=file.js', 'env'], }, }), - ['deno', 'run', '--allow-read="file.js"', '--allow-env'], + ['deno', 'run', '--allow-read=file.js', '--allow-env'], 'Custom Permissions per Files' ); diff --git a/test/unit/deno/deny.test.ts b/test/unit/deno/deny.test.ts new file mode 100644 index 00000000..98045a16 --- /dev/null +++ b/test/unit/deno/deny.test.ts @@ -0,0 +1,61 @@ +import { assert, describe, test } from '../../../src/index.js'; +import { runner } from '../../../src/helpers/runner.js'; + +describe('Deno Permissions (Deny)', { background: false, icon: '🔬' }); + +test(() => { + assert.deepStrictEqual( + runner('', { + platform: 'deno', + deno: { + allow: [], + deny: ['read'], + }, + }), + ['deno', 'run', '--deny-read'], + 'Custom Permission' + ); + + assert.deepStrictEqual( + runner('', { + platform: 'deno', + deno: { + allow: [], + deny: ['read', 'env'], + }, + }), + ['deno', 'run', '--deny-read', '--deny-env'], + 'Custom Permissions' + ); + + assert.deepStrictEqual( + runner('', { + platform: 'deno', + deno: { + allow: [], + deny: ['read=file.js', 'env'], + }, + }), + ['deno', 'run', '--deny-read=file.js', '--deny-env'], + 'Custom Permissions per Files' + ); + + assert.deepStrictEqual( + runner('', { + platform: 'deno', + deno: { + allow: ['read=file.js', 'net'], + deny: ['net=server.com', 'env'], + }, + }), + [ + 'deno', + 'run', + '--allow-read=file.js', + '--allow-net', + '--deny-net=server.com', + '--deny-env', + ], + 'Mixed Permissions' + ); +}); diff --git a/website/docs/documentation/poku/options/deno.mdx b/website/docs/documentation/poku/options/deno.mdx index 16c6efb5..eeaf43bd 100644 --- a/website/docs/documentation/poku/options/deno.mdx +++ b/website/docs/documentation/poku/options/deno.mdx @@ -57,3 +57,39 @@ Clear all permissions: ```bash npx poku --deno-allow='' ./test ``` + +## `deny` + +> `poku(targetPaths: string | string[], configs?: Configs)` +> +> `deny: string[]` + +Change permissions for **Deno**. + +### API (_in-code_) + +```ts +poku(['...'], { + deno: { + deny: ['write', 'sys' /* ... */], + }, +}); +``` + +```ts +poku(['...'], { + deno: { + deny: ['env=HOME', 'write' /* ... */], + }, +}); +``` + +### CLI + +```bash +npx poku --deno-deny='write, sys' ./test +``` + +```bash +npx poku --deno-deny='env=HOME, write' ./test +```