Merge branch 'deny-read-env' into 'main'

Deny reading .env

See merge request soapbox-pub/ditto!583

deno.json

@@ -1,26 +1,26 @@
 {
   "version": "1.1.0",
   "tasks": {
-    "start": "deno run -A --env-file src/server.ts",
+    "start": "deno run -A --env-file --deny-read=.env src/server.ts",
-    "dev": "deno run -A --env-file --watch src/server.ts",
+    "dev": "deno run -A --env-file --deny-read=.env --watch src/server.ts",
     "hook": "deno run --allow-read --allow-run --allow-write https://deno.land/x/deno_hooks@0.1.1/mod.ts",
-    "db:export": "deno run -A --env-file scripts/db-export.ts",
+    "db:export": "deno run -A --env-file --deny-read=.env scripts/db-export.ts",
-    "db:import": "deno run -A --env-file scripts/db-import.ts",
+    "db:import": "deno run -A --env-file --deny-read=.env scripts/db-import.ts",
-    "db:migrate": "deno run -A --env-file scripts/db-migrate.ts",
+    "db:migrate": "deno run -A --env-file --deny-read=.env scripts/db-migrate.ts",
-    "nostr:pull": "deno run -A --env-file scripts/nostr-pull.ts",
+    "nostr:pull": "deno run -A --env-file --deny-read=.env scripts/nostr-pull.ts",
-    "debug": "deno run -A --env-file --inspect src/server.ts",
+    "debug": "deno run -A --env-file --deny-read=.env --inspect src/server.ts",
-    "test": "deno test -A --env-file=.env.test --junit-path=./deno-test.xml",
+    "test": "deno test -A --env-file --deny-read=.env=.env.test --junit-path=./deno-test.xml",
     "check": "deno check --allow-import src/server.ts",
     "nsec": "deno run scripts/nsec.ts",
-    "admin:event": "deno run -A --env-file scripts/admin-event.ts",
+    "admin:event": "deno run -A --env-file --deny-read=.env scripts/admin-event.ts",
-    "admin:role": "deno run -A --env-file scripts/admin-role.ts",
+    "admin:role": "deno run -A --env-file --deny-read=.env scripts/admin-role.ts",
-    "setup": "deno run -A --env-file scripts/setup.ts",
+    "setup": "deno run -A --env-file --deny-read=.env scripts/setup.ts",
-    "setup:kind0": "deno run -A --env-file scripts/setup-kind0.ts",
+    "setup:kind0": "deno run -A --env-file --deny-read=.env scripts/setup-kind0.ts",
-    "stats:recompute": "deno run -A --env-file scripts/stats-recompute.ts",
+    "stats:recompute": "deno run -A --env-file --deny-read=.env scripts/stats-recompute.ts",
     "soapbox": "curl -O https://dl.soapbox.pub/main/soapbox.zip && mkdir -p public && mv soapbox.zip public/ && cd public/ && unzip -o soapbox.zip && rm soapbox.zip",
-    "trends": "deno run -A --env-file scripts/trends.ts",
+    "trends": "deno run -A --env-file --deny-read=.env scripts/trends.ts",
     "clean:deps": "deno cache --reload src/app.ts",
-    "db:populate-search": "deno run -A --env-file scripts/db-populate-search.ts",
+    "db:populate-search": "deno run -A --env-file --deny-read=.env scripts/db-populate-search.ts",
     "vapid": "deno run scripts/vapid.ts"
   },
   "unstable": [

src/workers/policy.ts

@@ -21,16 +21,15 @@ class PolicyWorker implements NPolicy {
         {
           type: 'module',
           name: 'PolicyWorker',
-          // FIXME: Disabled until Deno 2.0 adds support for `import` permission here.
+          deno: {
-          // https://github.com/denoland/deno/issues/26074
+            permissions: {
-          // deno: {
+              read: [Conf.denoDir, Conf.policy, Conf.dataDir],
-          //   permissions: {
+              write: [Conf.dataDir],
-          //     read: [Conf.denoDir, Conf.policy, Conf.dataDir],
+              net: 'inherit',
-          //     write: [Conf.dataDir],
+              env: false,
-          //     net: 'inherit',
+              import: true,
-          //     env: false,
+            },
-          //   },
+          },
-          // },
         },
       ),
     );