BREAKING: disallow static import of local modules from remote modules (#5050)

This commit changes module loading logic to disallow statically import local module (file:// scheme) from remote modules (http://, https:// schemes).
author: Bartek Iwańczuk <biwanczuk@gmail.com> 2020-05-02 15:51:08 +0200
committer: GitHub <noreply@github.com> 2020-05-02 15:51:08 +0200
commit: 2872b362ff76273d897d75bb8a3ddd5510c182f4 (patch)
tree: 7b1061aacca70eec34be3e307719f5113d932b57 /cli/state.rs
parent: de2c042482741dc23f7d975458a1fba95863de53 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/cli/state.rs b/cli/state.rs
index 8003ea732..6cc915738 100644
--- a/cli/state.rs
+++ b/cli/state.rs
@@ -287,6 +287,24 @@ impl ModuleLoader for State {
       if let Err(e) = self.check_dyn_import(&module_specifier) {
         return async move { Err(e.into()) }.boxed_local();
       }
+    } else {
+      // Verify that remote file doesn't try to statically import local file.
+      if let Some(referrer) = maybe_referrer.as_ref() {
+        let referrer_url = referrer.as_url();
+        match referrer_url.scheme() {
+          "http" | "https" => {
+            let specifier_url = module_specifier.as_url();
+            match specifier_url.scheme() {
+              "http" | "https" => {}
+              _ => {
+                let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                return async move { Err(e.into()) }.boxed_local();
+              }
+            }
+          }
+          _ => {}
+        }
+      }
     }
 
     let mut state = self.borrow_mut();
author	Bartek Iwańczuk <biwanczuk@gmail.com>	2020-05-02 15:51:08 +0200
committer	GitHub <noreply@github.com>	2020-05-02 15:51:08 +0200
commit	2872b362ff76273d897d75bb8a3ddd5510c182f4 (patch)
tree	7b1061aacca70eec34be3e307719f5113d932b57 /cli/state.rs
parent	de2c042482741dc23f7d975458a1fba95863de53 (diff)