feat: add --ignore-env=...

cli/args/flags.rs

@@ -813,6 +813,7 @@ pub struct PermissionFlags {
   pub allow_all: bool,
   pub allow_env: Option<Vec<String>>,
   pub deny_env: Option<Vec<String>>,
+  pub ignore_env: Option<Vec<String>>,
   pub allow_ffi: Option<Vec<String>>,
   pub deny_ffi: Option<Vec<String>>,
   pub allow_net: Option<Vec<String>>,
@@ -835,6 +836,7 @@ impl PermissionFlags {
     self.allow_all
       || self.allow_env.is_some()
       || self.deny_env.is_some()
+      || self.ignore_env.is_some()
       || self.allow_ffi.is_some()
       || self.deny_ffi.is_some()
       || self.allow_net.is_some()
@@ -973,6 +975,17 @@ impl Flags {
       _ => {}
     }
 
+    match &self.permissions.ignore_env {
+      Some(env_ignorelist) if env_ignorelist.is_empty() => {
+        args.push("--ignore-env".to_string());
+      }
+      Some(env_ignorelist) => {
+        let s = format!("--ignore-env={}", env_ignorelist.join(","));
+        args.push(s);
+      }
+      _ => {}
+    }
+
     match &self.permissions.allow_run {
       Some(run_allowlist) if run_allowlist.is_empty() => {
         args.push("--allow-run".to_string());
@@ -4151,6 +4164,30 @@ fn compile_args_without_check_args(app: Command) -> Command {
 }
 
 fn permission_args(app: Command, requires: Option<&'static str>) -> Command {
+  let make_deny_ignore_env_arg = |arg: Arg| {
+    let mut arg = arg
+      .num_args(0..)
+      .use_value_delimiter(true)
+      .require_equals(true)
+      .value_name("VARIABLE_NAME")
+      .long_help("false")
+      .value_parser(|key: &str| {
+        if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
+          return Err(format!("invalid key \"{key}\""));
+        }
+
+        Ok(if cfg!(windows) {
+          key.to_uppercase()
+        } else {
+          key.to_string()
+        })
+      })
+      .hide(true);
+    if let Some(requires) = requires {
+      arg = arg.requires(requires)
+    }
+    arg
+  };
   app
     .after_help(cstr!(r#"<y>Permission options:</>
 <y>Docs</>: <c>https://docs.deno.com/go/permissions</>
@@ -4355,33 +4392,8 @@ fn permission_args(app: Command, requires: Option<&'static str>) -> Command {
         arg
       }
     )
-    .arg(
-      {
-        let mut arg = Arg::new("deny-env")
-          .long("deny-env")
-          .num_args(0..)
-          .use_value_delimiter(true)
-          .require_equals(true)
-          .value_name("VARIABLE_NAME")
-          .long_help("false")
-          .value_parser(|key: &str| {
-            if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
-              return Err(format!("invalid key \"{key}\""));
-            }
-
-            Ok(if cfg!(windows) {
-              key.to_uppercase()
-            } else {
-              key.to_string()
-            })
-          })
-          .hide(true);
-        if let Some(requires) = requires {
-          arg = arg.requires(requires)
-        }
-        arg
-      }
-    )
+    .arg(make_deny_ignore_env_arg(Arg::new("deny-env").long("deny-env")))
+    .arg(make_deny_ignore_env_arg(Arg::new("ignore-env").long("ignore-env")))
     .arg(
       {
         let mut arg = Arg::new("allow-sys")
@@ -6612,6 +6624,11 @@ fn permission_args_parse(
     debug!("env denylist: {:#?}", &flags.permissions.deny_env);
   }
 
+  if let Some(env_wl) = matches.remove_many::<String>("ignore-env") {
+    flags.permissions.ignore_env = Some(env_wl.collect());
+    debug!("env ignorelist: {:#?}", &flags.permissions.ignore_env);
+  }
+
   if let Some(run_wl) = matches.remove_many::<String>("allow-run") {
     flags.permissions.allow_run = Some(run_wl.collect());
     debug!("run allowlist: {:#?}", &flags.permissions.allow_run);
@@ -9196,6 +9213,26 @@ mod tests {
     );
   }
 
+  #[test]
+  fn ignore_env_ignorelist() {
+    let r =
+      flags_from_vec(svec!["deno", "run", "--ignore-env=HOME", "script.ts"]);
+    assert_eq!(
+      r.unwrap(),
+      Flags {
+        subcommand: DenoSubcommand::Run(RunFlags::new_default(
+          "script.ts".to_string(),
+        )),
+        permissions: PermissionFlags {
+          ignore_env: Some(svec!["HOME"]),
+          ..Default::default()
+        },
+        code_cache_enabled: true,
+        ..Flags::default()
+      }
+    );
+  }
+
   #[test]
   fn allow_env_allowlist_multiple() {
     let r = flags_from_vec(svec![
@@ -9240,6 +9277,30 @@ mod tests {
     );
   }
 
+  #[test]
+  fn deny_env_ignorelist_multiple() {
+    let r = flags_from_vec(svec![
+      "deno",
+      "run",
+      "--ignore-env=HOME,PATH",
+      "script.ts"
+    ]);
+    assert_eq!(
+      r.unwrap(),
+      Flags {
+        subcommand: DenoSubcommand::Run(RunFlags::new_default(
+          "script.ts".to_string(),
+        )),
+        permissions: PermissionFlags {
+          ignore_env: Some(svec!["HOME", "PATH"]),
+          ..Default::default()
+        },
+        code_cache_enabled: true,
+        ..Flags::default()
+      }
+    );
+  }
+
   #[test]
   fn allow_env_allowlist_validator() {
     let r =

cli/args/mod.rs

@@ -1606,32 +1606,37 @@ fn flags_to_permissions_options(
     }
     None => value.to_string(),
   };
-  let no_op = |value: &str| value.to_string();
+  let identity = |value: &str| value.to_string();
 
   Ok(PermissionsOptions {
     allow_env: handle_allow(
       flags.allow_all,
       config.and_then(|c| c.permissions.all),
       flags.allow_env.as_ref(),
       config.and_then(|c| c.permissions.env.allow.as_ref()),
-      &no_op,
+      &identity,
     ),
     deny_env: handle_deny(
       flags.deny_env.as_ref(),
       config.and_then(|c| c.permissions.env.deny.as_ref()),
-      &no_op,
+      &identity,
+    ),
+    ignore_env: handle_deny(
+      flags.ignore_env.as_ref(),
+      config.and_then(|c| c.permissions.env.ignore.as_ref()),
+      &identity,
     ),
     allow_net: handle_allow(
       flags.allow_all,
       config.and_then(|c| c.permissions.all),
       flags.allow_net.as_ref(),
       config.and_then(|c| c.permissions.net.allow.as_ref()),
-      &no_op,
+      &identity,
     ),
     deny_net: handle_deny(
       flags.deny_net.as_ref(),
       config.and_then(|c| c.permissions.net.deny.as_ref()),
-      &no_op,
+      &identity,
     ),
     allow_ffi: handle_allow(
       flags.allow_all,
@@ -1674,12 +1679,12 @@ fn flags_to_permissions_options(
       config.and_then(|c| c.permissions.all),
       flags.allow_sys.as_ref(),
       config.and_then(|c| c.permissions.sys.allow.as_ref()),
-      &no_op,
+      &identity,
     ),
     deny_sys: handle_deny(
       flags.deny_sys.as_ref(),
       config.and_then(|c| c.permissions.sys.deny.as_ref()),
-      &no_op,
+      &identity,
     ),
     allow_write: handle_allow(
       flags.allow_all,
@@ -1698,19 +1703,20 @@ fn flags_to_permissions_options(
       config.and_then(|c| c.permissions.all),
       flags.allow_import.as_ref(),
       config.and_then(|c| c.permissions.import.allow.as_ref()),
-      &no_op,
+      &identity,
     ),
     deny_import: handle_deny(
       flags.deny_import.as_ref(),
       config.and_then(|c| c.permissions.import.deny.as_ref()),
-      &no_op,
+      &identity,
     ),
     prompt: !resolve_no_prompt(flags),
   })
 }
 
 #[cfg(test)]
 mod test {
+  use deno_config::deno_json::AllowDenyIgnorePermissionConfig;
   use deno_config::deno_json::AllowDenyPermissionConfig;
   use deno_config::deno_json::PermissionsObject;
   use pretty_assertions::assert_eq;
@@ -1823,13 +1829,16 @@ mod test {
               "example.com".to_string(),
             ])),
           },
-          env: AllowDenyPermissionConfig {
+          env: AllowDenyIgnorePermissionConfig {
             allow: Some(PermissionConfigValue::Some(vec![
               "env-allow".to_string(),
             ])),
             deny: Some(PermissionConfigValue::Some(vec![
               "env-deny".to_string(),
             ])),
+            ignore: Some(PermissionConfigValue::Some(vec![
+              "env-ignore".to_string(),
+            ])),
           },
           net: AllowDenyPermissionConfig {
             allow: Some(PermissionConfigValue::Some(vec![
@@ -1874,6 +1883,7 @@ mod test {
         PermissionsOptions {
           allow_env: Some(vec!["env-allow".to_string()]),
           deny_env: Some(vec!["env-deny".to_string()]),
+          ignore_env: Some(vec!["env-ignore".to_string()]),
           allow_net: Some(vec!["net-allow".to_string()]),
           deny_net: Some(vec!["net-deny".to_string()]),
           allow_ffi: Some(vec![
@@ -1973,6 +1983,7 @@ mod test {
         PermissionsOptions {
           allow_env: Some(vec![]),
           deny_env: None,
+          ignore_env: None,
           allow_net: Some(vec![]),
           deny_net: None,
           allow_ffi: Some(vec![]),

cli/schemas/config-file.v1.json

@@ -16,6 +16,17 @@
         "items": { "type": "string" }
       }]
     },
+    "allowDenyIgnorePermissionConfig": {
+      "allOf": [
+        { "$ref": "#/$defs/allowDenyPermissionConfig" },
+        {
+          "type": "object",
+          "properties": {
+            "ignore": { "$ref": "#/$defs/permissionConfigValue" }
+          }
+        }
+      ]
+    },
     "allowDenyPermissionConfig": {
       "type": "object",
       "description": "Object form to allow and/or deny permissions.",