Deny reading .env

2025-12-06 11:29:46 +00:00 · 2024-11-07 13:32:53 -06:00 · 2024-11-07 13:32:53 -06:00 · 459adadd4c
commit 459adadd4c
parent 6fae72b4cf
2 changed files with 24 additions and 25 deletions
--- a/deno.json
+++ b/deno.json
@ -1,26 +1,26 @@
 {
  "version": "1.1.0",
  "tasks": {
-    "start": "deno run -A --env-file src/server.ts",
-    "dev": "deno run -A --env-file --watch src/server.ts",
+    "start": "deno run -A --env-file --deny-read=.env src/server.ts",
+    "dev": "deno run -A --env-file --deny-read=.env --watch src/server.ts",
    "hook": "deno run --allow-read --allow-run --allow-write https://deno.land/x/deno_hooks@0.1.1/mod.ts",
-    "db:export": "deno run -A --env-file scripts/db-export.ts",
-    "db:import": "deno run -A --env-file scripts/db-import.ts",
-    "db:migrate": "deno run -A --env-file scripts/db-migrate.ts",
-    "nostr:pull": "deno run -A --env-file scripts/nostr-pull.ts",
-    "debug": "deno run -A --env-file --inspect src/server.ts",
-    "test": "deno test -A --env-file=.env.test --junit-path=./deno-test.xml",
+    "db:export": "deno run -A --env-file --deny-read=.env scripts/db-export.ts",
+    "db:import": "deno run -A --env-file --deny-read=.env scripts/db-import.ts",
+    "db:migrate": "deno run -A --env-file --deny-read=.env scripts/db-migrate.ts",
+    "nostr:pull": "deno run -A --env-file --deny-read=.env scripts/nostr-pull.ts",
+    "debug": "deno run -A --env-file --deny-read=.env --inspect src/server.ts",
+    "test": "deno test -A --env-file --deny-read=.env=.env.test --junit-path=./deno-test.xml",
    "check": "deno check --allow-import src/server.ts",
    "nsec": "deno run scripts/nsec.ts",
-    "admin:event": "deno run -A --env-file scripts/admin-event.ts",
-    "admin:role": "deno run -A --env-file scripts/admin-role.ts",
-    "setup": "deno run -A --env-file scripts/setup.ts",
-    "setup:kind0": "deno run -A --env-file scripts/setup-kind0.ts",
-    "stats:recompute": "deno run -A --env-file scripts/stats-recompute.ts",
+    "admin:event": "deno run -A --env-file --deny-read=.env scripts/admin-event.ts",
+    "admin:role": "deno run -A --env-file --deny-read=.env scripts/admin-role.ts",
+    "setup": "deno run -A --env-file --deny-read=.env scripts/setup.ts",
+    "setup:kind0": "deno run -A --env-file --deny-read=.env scripts/setup-kind0.ts",
+    "stats:recompute": "deno run -A --env-file --deny-read=.env scripts/stats-recompute.ts",
    "soapbox": "curl -O https://dl.soapbox.pub/main/soapbox.zip && mkdir -p public && mv soapbox.zip public/ && cd public/ && unzip -o soapbox.zip && rm soapbox.zip",
-    "trends": "deno run -A --env-file scripts/trends.ts",
+    "trends": "deno run -A --env-file --deny-read=.env scripts/trends.ts",
    "clean:deps": "deno cache --reload src/app.ts",
-    "db:populate-search": "deno run -A --env-file scripts/db-populate-search.ts",
+    "db:populate-search": "deno run -A --env-file --deny-read=.env scripts/db-populate-search.ts",
    "vapid": "deno run scripts/vapid.ts"
  },
  "unstable": [
--- a/src/workers/policy.ts
+++ b/src/workers/policy.ts
@ -21,16 +21,15 @@ class PolicyWorker implements NPolicy {
        {
          type: 'module',
          name: 'PolicyWorker',
-          // FIXME: Disabled until Deno 2.0 adds support for `import` permission here.
-          // https://github.com/denoland/deno/issues/26074
-          // deno: {
-          //   permissions: {
-          //     read: [Conf.denoDir, Conf.policy, Conf.dataDir],
-          //     write: [Conf.dataDir],
-          //     net: 'inherit',
-          //     env: false,
-          //   },
-          // },
+          deno: {
+            permissions: {
+              read: [Conf.denoDir, Conf.policy, Conf.dataDir],
+              write: [Conf.dataDir],
+              net: 'inherit',
+              env: false,
+              import: true,
+            },
+          },
        },
      ),
    );