search

denoland / deno

A modern runtime for JavaScript and TypeScript.
https://deno.com
MIT License
94.29k stars 5.24k forks source link

Proposal: `Deno.spawnDeno` #13041

Open crowlKats opened 2 years ago

crowlKats commented 2 years ago

Relies on #11618.

This proposal proposes a function that would allow to spawn a "sandboxed" deno subprocess. This function would not require the allow-run function. Permissions would work the same way as they do for WebWorkers. This would be equivalent to node's child_process.fork, while keeping Deno's security.

The first pass of this proposal would only allow for deno run to be spawned, to keep things simple. This later on can be expanded to allow spawning various other subcommands.

interface SpawnDenoOptions {
  /** Arguments that will be passed to the script. */
  scriptArgs?: string[],
  permissions?: "inherit" | "none" | {
    env?: "inherit" | boolean | string[];
    hrtime?: "inherit" | boolean;
    net?: "inherit" | boolean | string[];
    ffi?: "inherit" | boolean | Array<string | URL>;
    read?: "inherit" | boolean | Array<string | URL>;
    run?: "inherit" | boolean | Array<string | URL>;
    write?: "inherit" | boolean | Array<string | URL>;
  },
  compat?: boolean,
  /** Requires the unstable flag to be set to use */
  unstable?: boolean,
  logLevel?: "debug" | "info",
  quiet?: boolean,
  inheritLocation?: boolean,
  noRemote?: boolean,
  cachedOnly?: boolean,
  noCheck?: boolean,
  seed?: number,
  watch?: boolean,
}

function spawnDeno(script: string | URL, options?: SpawnDenoOptions): Command;

Currently, with this set of options, the permissions can be escalated beyond what the parent process has access to with Deno.permissions.request, so i propose to add a no-permission-request flag, which would disallow the usage of Deno.permissions.request.

caspervonb commented 2 years ago

SGTM!

Had plenty of cases in the wild where this would be useful. For example: std/wasi's integration tests can make use of this, they spawn a Deno instance per test.

rednnnno commented 2 months ago

Couldn't this just be added ForkOptions to the current .fork implimentation?

To note, r/n Deno's .fork forces the -A option so you need to use .spawn instead to be able to use permissions...

Though frankly, I'd prefer a more concise sandbox, if at all possible, that wouldn't spawn a new process.