Skip to content

Commit

Permalink
feat(unstable): --unstable-unsafe-proto (denoland#21313)
Browse files Browse the repository at this point in the history
  • Loading branch information
dsherret authored Nov 25, 2023
1 parent 00e4c47 commit a4ec7df
Show file tree
Hide file tree
Showing 10 changed files with 55 additions and 45 deletions.
44 changes: 5 additions & 39 deletions cli/args/flags.rs
Original file line number Diff line number Diff line change
Expand Up @@ -844,45 +844,11 @@ pub fn flags_from_vec(args: Vec<String>) -> clap::error::Result<Flags> {
if matches.get_flag("unstable") {
flags.unstable = true;
}
if matches.get_flag("unstable-broadcast-channel") {
flags.unstable_features.push(
deno_runtime::deno_broadcast_channel::UNSTABLE_FEATURE_NAME.to_string(),
);
}
if matches.get_flag("unstable-ffi") {
flags
.unstable_features
.push(deno_runtime::deno_ffi::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-fs") {
flags
.unstable_features
.push(deno_runtime::deno_fs::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-http") {
flags
.unstable_features
.push(deno_runtime::ops::http::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-kv") {
flags
.unstable_features
.push(deno_runtime::deno_kv::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-net") {
flags
.unstable_features
.push(deno_runtime::deno_net::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-worker-options") {
flags
.unstable_features
.push(deno_runtime::ops::worker_host::UNSTABLE_FEATURE_NAME.to_string());
}
if matches.get_flag("unstable-cron") {
flags
.unstable_features
.push(deno_runtime::deno_cron::UNSTABLE_FEATURE_NAME.to_string());

for (name, _, _) in crate::UNSTABLE_GRANULAR_FLAGS {
if matches.get_flag(&format!("unstable-{}", name)) {
flags.unstable_features.push(name.to_string());
}
}

flags.unstable_bare_node_builtins =
Expand Down
5 changes: 5 additions & 0 deletions cli/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,11 @@ pub(crate) static UNSTABLE_GRANULAR_FLAGS: &[(
"Enable unstable Deno.cron API",
8,
),
(
"unsafe-proto",
"Enable unsafe __proto__ support. This is a security risk.",
9,
),
];

pub(crate) fn unstable_exit_cb(_feature: &str, api_name: &str) {
Expand Down
14 changes: 14 additions & 0 deletions cli/tests/integration/run_tests.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4716,3 +4716,17 @@ itest!(workspaces_nested_member {
http_server: true,
exit_code: 1,
});

itest!(unsafe_proto {
args: "run -A run/unsafe_proto/main.js",
output: "run/unsafe_proto/main.out",
http_server: false,
exit_code: 0,
});

itest!(unsafe_proto_flag {
args: "run -A --unstable-unsafe-proto run/unsafe_proto/main.js",
output: "run/unsafe_proto/main_with_unsafe_proto_flag.out",
http_server: false,
exit_code: 0,
});
5 changes: 5 additions & 0 deletions cli/tests/testdata/run/unsafe_proto/main.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
console.log(Object.hasOwn(Object.prototype, "__proto__"));

new Worker(import.meta.resolve("./worker.js"), {
type: "module",
});
2 changes: 2 additions & 0 deletions cli/tests/testdata/run/unsafe_proto/main.out
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
false
false
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
true
true
2 changes: 2 additions & 0 deletions cli/tests/testdata/run/unsafe_proto/worker.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
console.log(Object.hasOwn(Object.prototype, "__proto__"));
close();
6 changes: 4 additions & 2 deletions cli/worker.rs
Original file line number Diff line number Diff line change
Expand Up @@ -570,7 +570,8 @@ impl CliMainWorkerFactory {
// TODO(bartlomieju): this is cruft, update FeatureChecker to spit out
// list of enabled features.
let feature_checker = shared.feature_checker.clone();
let mut unstable_features = Vec::with_capacity(8);
let mut unstable_features =
Vec::with_capacity(crate::UNSTABLE_GRANULAR_FLAGS.len());
for (feature_name, _, id) in crate::UNSTABLE_GRANULAR_FLAGS {
if feature_checker.check(feature_name) {
unstable_features.push(*id);
Expand Down Expand Up @@ -768,7 +769,8 @@ fn create_web_worker_callback(
// TODO(bartlomieju): this is cruft, update FeatureChecker to spit out
// list of enabled features.
let feature_checker = shared.feature_checker.clone();
let mut unstable_features = Vec::with_capacity(8);
let mut unstable_features =
Vec::with_capacity(crate::UNSTABLE_GRANULAR_FLAGS.len());
for (feature_name, _, id) in crate::UNSTABLE_GRANULAR_FLAGS {
if feature_checker.check(feature_name) {
unstable_features.push(*id);
Expand Down
2 changes: 2 additions & 0 deletions runtime/js/90_deno_ns.js
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,8 @@ const denoNsUnstableById = {
8: {
cron: cron.cron,
},
// Unsafe proto
// 9: {},
};

// when editing this list, also update unstableDenoProps in cli/tsc/99_main_compiler.js
Expand Down
18 changes: 14 additions & 4 deletions runtime/js/99_main.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.

// Removes the `__proto__` for security reasons.
// https://tc39.es/ecma262/#sec-get-object.prototype.__proto__
delete Object.prototype.__proto__;

// Remove Intl.v8BreakIterator because it is a non-standard API.
delete Intl.v8BreakIterator;

Expand All @@ -14,6 +10,7 @@ const primordials = globalThis.__bootstrap.primordials;
const {
ArrayPrototypeFilter,
ArrayPrototypeIndexOf,
ArrayPrototypeIncludes,
ArrayPrototypeMap,
ArrayPrototypePush,
ArrayPrototypeShift,
Expand Down Expand Up @@ -570,6 +567,12 @@ function bootstrapMainRuntime(runtimeOptions) {
}
}

if (!ArrayPrototypeIncludes(unstableFeatures, /* unsafe-proto */ 9)) {
// Removes the `__proto__` for security reasons.
// https://tc39.es/ecma262/#sec-get-object.prototype.__proto__
delete Object.prototype.__proto__;
}

// Setup `Deno` global - we're actually overriding already existing global
// `Deno` with `Deno` namespace from "./deno.ts".
ObjectDefineProperty(globalThis, "Deno", util.readOnly(finalDenoNs));
Expand Down Expand Up @@ -668,6 +671,13 @@ function bootstrapWorkerRuntime(
ObjectAssign(finalDenoNs, denoNsUnstableById[id]);
}
}

if (!ArrayPrototypeIncludes(unstableFeatures, /* unsafe-proto */ 9)) {
// Removes the `__proto__` for security reasons.
// https://tc39.es/ecma262/#sec-get-object.prototype.__proto__
delete Object.prototype.__proto__;
}

ObjectDefineProperties(finalDenoNs, {
pid: util.getterOnly(opPid),
noColor: util.getterOnly(() => ops.op_bootstrap_no_color()),
Expand Down

0 comments on commit a4ec7df

Please sign in to comment.