From d5b1e476330038c54edd664edfef3483b73167e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Tue, 17 Sep 2024 22:28:36 +0200 Subject: [PATCH 1/2] feat: update warning message for --allow-run with no list --- cli/args/mod.rs | 2 +- tests/specs/permission/deny_run_binary_absolute_path/main.out | 2 +- tests/specs/run/allow_run_insecure_warnings/no_allow_list.out | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cli/args/mod.rs b/cli/args/mod.rs index db8cf149e61429..0851dfd6c7789f 100644 --- a/cli/args/mod.rs +++ b/cli/args/mod.rs @@ -1705,7 +1705,7 @@ fn warn_insecure_allow_run_flags(flags: &Flags) { // discourage using --allow-run without an allow list if allow_run_list.is_empty() { log::warn!( - "{} --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)", + "{} --allow-run without an allow list is susceptible to exploits. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses)", colors::yellow("Warning") ); } diff --git a/tests/specs/permission/deny_run_binary_absolute_path/main.out b/tests/specs/permission/deny_run_binary_absolute_path/main.out index 7f11e7880d2452..fef29eae75d818 100644 --- a/tests/specs/permission/deny_run_binary_absolute_path/main.out +++ b/tests/specs/permission/deny_run_binary_absolute_path/main.out @@ -1,4 +1,4 @@ -Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) +Warning --allow-run without an allow list is susceptible to exploits. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) NotCapable: Requires run access to "deno", run again with the --allow-run flag at [WILDCARD] { name: "NotCapable" diff --git a/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out b/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out index 277d0036cbf771..293b4446ade437 100644 --- a/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out +++ b/tests/specs/run/allow_run_insecure_warnings/no_allow_list.out @@ -1 +1 @@ -Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) +Warning --allow-run without an allow list is susceptible to exploits. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) From 98d7c639b267c209ba443239e95c7d43b88ba993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Tue, 17 Sep 2024 22:48:25 +0200 Subject: [PATCH 2/2] fix --- tests/testdata/run/deny_some_permission_args.out | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/testdata/run/deny_some_permission_args.out b/tests/testdata/run/deny_some_permission_args.out index fe3e57d697e914..be2e832fec4afb 100644 --- a/tests/testdata/run/deny_some_permission_args.out +++ b/tests/testdata/run/deny_some_permission_args.out @@ -1,4 +1,4 @@ -Warning --allow-run can be trivially exploited. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) +Warning --allow-run without an allow list is susceptible to exploits. Prefer specifying an allow list (https://docs.deno.com/runtime/fundamentals/security/#running-subprocesses) PermissionStatus { state: "granted", onchange: null, partial: true } PermissionStatus { state: "denied", onchange: null } PermissionStatus { state: "granted", onchange: null }