Options
All
  • Public
  • Public/Protected
  • All
Menu

Module "guard"

Index

Interfaces

Type aliases

Variables

Functions

Type aliases

GuardGrant

GuardGrant: Deno.PermissionName | Deno.PermissionDescriptor

A Deno permission name or a full permission descriptor.

See https://github.com/denoland/deno/blob/master/cli/js/lib.deno.unstable.d.ts

Private PermissionDescriptorStatus

PermissionDescriptorStatus: { state: Deno.PermissionState } & Deno.PermissionDescriptor

A permission descriptor merged with it's status.

See https://github.com/denoland/deno/blob/master/cli/js/lib.deno.unstable.d.ts

Variables

Const DENIED

DENIED: Deno.PermissionState = "denied"

A denied status for a permission.

See:

Const ENV

ENV: Deno.PermissionName = "env"

The "powerful feature" "env" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Const GRANTED

GRANTED: Deno.PermissionState = "granted"

A granted status for a permission.

See:

Const HRTIME

HRTIME: Deno.PermissionName = "hrtime"

The "powerful feature" "hrtime" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Private Const HTTP_PROTOCOL

HTTP_PROTOCOL: RegExp = /^https?\:\/\//

Regex for matching HTTP/HTTPS protocols.

Const NET

NET: Deno.PermissionName = "net"

The "powerful feature" "net" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Const PLUGIN

PLUGIN: Deno.PermissionName = "plugin"

The "powerful feature" "plugin" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Const PROMPT

PROMPT: Deno.PermissionState = "prompt"

A prompt status for a permission.

See:

Const READ

READ: Deno.PermissionName = "read"

The "powerful feature" "read" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Const RUN

RUN: Deno.PermissionName = "run"

The "powerful feature" "run" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Const WRITE

WRITE: Deno.PermissionName = "write"

The "powerful feature" "write" which needs permission.

See:

Note that the definition of PermissionName in the above spec is swapped out for a set of Deno permissions which are not web-compatible.

Private Const permissionNameToFlagMap

permissionNameToFlagMap: Map<Deno.PermissionName, string> = new Map(topLevelPermissions.map(({ name }) => [name, `--allow-${name}`]),)

A map of top-level permissions to their flag.

Private Const permissionsWithAllowlists

permissionsWithAllowlists: Deno.PermissionName[] = [ENV,READ,RUN,NET,WRITE,]

A list of top-level permissions that support an optional allowlist.

Private Const topLevelPermissions

topLevelPermissions: Deno.PermissionDescriptor[] = [{ name: RUN },{ name: READ },{ name: WRITE },{ name: NET },{ name: ENV },{ name: PLUGIN },{ name: HRTIME },]

A list of all top-level permissions as descriptors.

Functions

Private Const getPermissionAllowlist

  • getPermissionAllowlist(__namedParameters?: { command: string; host: string; path: string; url: string; variable: string }): string

  • Returns a permission's allowlist value if it exists, otherwise an empty string ("") is returned.

    Parameters

    • Default value __namedParameters: { command: string; host: string; path: string; url: string; variable: string } = {}
      • command: string
      • host: string
      • path: string
      • url: string
      • variable: string

    Returns string

Private Const getPermissionDescriptorStatus

  • Adds the current grant status to each the provided permission descriptors.

    Parameters

    • permissionDescriptors: Deno.PermissionDescriptor[]

    Returns Promise<PermissionDescriptorStatus[]>

    The requested permission statuses.

Private Const getUnscopedPermissions

  • getUnscopedPermissions(granted: Deno.PermissionDescriptor[]): Deno.PermissionDescriptor[]

  • Filters the provided permissions to those which support an allowlist but have be left with top-level scope.

    Parameters

    • granted: Deno.PermissionDescriptor[]

    Returns Deno.PermissionDescriptor[]

guard

  • Provides a set of defences for your application.

    This is done by verifying:

    1. No unnecessary permissions have been set at runtime.
    2. Requested / required permissions have been set at runtime.

    Optional configuration parameters for the guard include:

    • granted - a list of Deno permission names or descriptors that should be permitted by the guard. Default: [].
    • exitOnMissing - a flag to determine whether the guard should stop the process when permissions listed in the granted array have not been granted. Default: false.
    • exitOnExtra - a flag to determine whether the guard should stop the process when permissions not listed in the granted array have been granted. Default: true.
    • revoke - flag to determine whether the guard should revoke top-level permissions not listed in the granted array.
    • log - a flag to determine the guard should log any warnings or errors to the console. Default: false.

    If the guard determines to stop the process, the exit code will be 1, i.e. Deno.exit(1).

    As the Deno Permissions API is currently tagged as "unstable", this method will currently only perform the above defenses if the process is started with the --unstable flag. Once the API becomes stable, this flag will no longer be required. If the flag is not provided, guard will simply return as a no-op, so it is safe to use the guard in applications that won't be passed the --unstable flag.

    Parameters

    Returns Promise<void>

Private Const handleMissingGrantedPermissions

Private Const handleUngrantedTopLevelPermissions

Private Const handleUnscopedPermissions

  • handleUnscopedPermissions(permissions: Deno.PermissionDescriptor[]): void

  • Handles the optional logging of recommendations when a top-level permission has been requested that supports allowlisting.

    Parameters

    • permissions: Deno.PermissionDescriptor[]

    Returns void

Generated using TypeDoc