From bb57223734e8af46ea8ed27c2274a19a1188789c Mon Sep 17 00:00:00 2001
From: Nick Vatamaniuc <vatamane@gmail.com>
Date: Thu, 2 Mar 2023 15:30:10 -0500
Subject: Restrict Deno to write to stdout only, read stdin and main.js only.

---
 dev/run | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev/run b/dev/run
index a0dd5b380..1c77b0d77 100755
--- a/dev/run
+++ b/dev/run
@@ -610,8 +610,8 @@ def set_boot_env(ctx):
     qs_javascript = toposixpath("%s %s" % (couchjs, mainjs))
     qs_coffescript = toposixpath("%s %s" % (couchjs, coffeejs))
 
-    qs_deno = toposixpath("%s %s" % ("deno run --allow-write", denojs))
-
+    deno_cmd = f"deno run --allow-write=- --allow-read=-,{denojs}"
+    qs_deno = toposixpath("%s %s" % (deno_cmd, denojs))
     os.environ["COUCHDB_QUERY_SERVER_JAVASCRIPT"] = qs_javascript
     os.environ["COUCHDB_QUERY_SERVER_COFFEESCRIPT"] = qs_coffescript
 
-- 
cgit v1.2.1