Add denyNet option

Author: andreterron

src/DenoWorker.spec.ts

@@ -18,6 +18,8 @@ describe('DenoWorker', () => {
     const pingScript = readFileSync(pingFile, { encoding: 'utf-8' });
     const infiniteFile = path.resolve(__dirname, './test/infinite.js');
     const infiniteScript = readFileSync(infiniteFile, { encoding: 'utf-8' });
+    const fetchFile = path.resolve(__dirname, './test/fetch.js');
+    const fetchScript = readFileSync(fetchFile, { encoding: 'utf-8' });
     const failFile = path.resolve(__dirname, './test/fail.js');
     const failScript = readFileSync(failFile, { encoding: 'utf-8' });
     const envFile = path.resolve(__dirname, './test/env.js');
@@ -127,6 +129,38 @@ describe('DenoWorker', () => {
             });
         });
 
+        it('should be able to specify network addresses to block', async () => {
+            const host = `example.com`;
+
+            worker = new DenoWorker(fetchScript, {
+                permissions: {
+                    allowNet: true,
+                    denyNet: [host],
+                },
+            });
+
+            let ret: any;
+            let resolve: any;
+            let promise = new Promise((res, rej) => {
+                resolve = res;
+            });
+            worker.onmessage = (e) => {
+                ret = e.data;
+                resolve();
+            };
+
+            worker.postMessage({
+                type: 'fetch',
+                url: `https://${host}`,
+            });
+
+            await promise;
+
+            expect(ret).toMatchObject({
+                type: 'error',
+            });
+        });
+
         it('should call onexit when the script fails', async () => {
             worker = new DenoWorker(failScript);
 

src/DenoWorker.ts

@@ -103,6 +103,14 @@ export interface DenoWorkerOptions {
          */
         allowNet?: boolean | string[];
 
+        /**
+         * Disable network access to provided IP addresses or hostnames. Any addresses
+         * specified here will be denied access, even if they are specified in
+         * `allowNet`. Note that deno-vm needs a network connection between the host
+         * and the guest, so it's not possible to fully disable network access.
+         */
+        denyNet?: string[];
+
         /**
          * Whether to allow reading from the filesystem.
          * If given a list of strings then only the specified file paths are allowed.
@@ -331,6 +339,16 @@ export class DenoWorker {
                               ]
                             : [allowAddress]
                     );
+                    // Ensures the `allowAddress` isn't denied
+                    const deniedAddresses = this._options.permissions.denyNet?.filter(
+                        (address) => address !== allowAddress
+                    );
+                    addOption(
+                        runArgs,
+                        '--deny-net',
+                        // Ensures an empty array isn't used
+                        deniedAddresses?.length ? deniedAddresses : false
+                    );
                     addOption(
                         runArgs,
                         '--allow-read',

src/test/fetch.js

@@ -0,0 +1,9 @@
+self.onmessage = async (e) => {
+    if (e.data.type === 'fetch') {
+        // NOTE: Don't fetch within tests unless an error is expected
+        await fetch(e.data.url).then(
+            (r) => self.postMessage({ type: 'response', status: r.status }),
+            (e) => self.postMessage({ type: 'error', error: e.message })
+        );
+    }
+};