refactor: check permissions in SourceFileFetcher (#5011)

This PR hot-fixes permission escapes in dynamic imports, workers
and runtime compiler APIs.

"permissions" parameter was added to public APIs of SourceFileFetcher
and appropriate permission checks are performed during loading of
local and remote files.

2 files changed, 54 insertions, 7 deletions

diff --git a/docs/runtime/compiler_apis.md b/docs/runtime/compiler_apis.md
index 3a06b0b4a..30d583331 100644
--- a/docs/runtime/compiler_apis.md
+++ b/docs/runtime/compiler_apis.md
@@ -15,9 +15,11 @@ fully qualified module name, and the value is the text source of the module. If
 `sources` is passed, Deno will resolve all the modules from within that hash and
 not attempt to resolve them outside of Deno. If `sources` are not provided, Deno
 will resolve modules as if the root module had been passed on the command line.
-Deno will also cache any of these resources. The `options` argument is a set of
-options of type `Deno.CompilerOptions`, which is a subset of the TypeScript
-compiler options containing the ones supported by Deno.
+Deno will also cache any of these resources. All resolved resources are treated
+as dynamic imports and require read or net permissions depending if they're
+local or remote. The `options` argument is a set of options of type
+`Deno.CompilerOptions`, which is a subset of the TypeScript compiler options
+containing the ones supported by Deno.
 
 The method resolves with a tuple. The first argument contains any diagnostics
 (syntax or type errors) related to the code. The second argument is a map where
@@ -63,10 +65,12 @@ The `sources` is a hash where the key is the fully qualified module name, and
 the value is the text source of the module. If `sources` is passed, Deno will
 resolve all the modules from within that hash and not attempt to resolve them
 outside of Deno. If `sources` are not provided, Deno will resolve modules as if
-the root module had been passed on the command line. Deno will also cache any of
-these resources. The `options` argument is a set of options of type
-`Deno.CompilerOptions`, which is a subset of the TypeScript compiler options
-containing the ones supported by Deno.
+the root module had been passed on the command line. All resolved resources are
+treated as dynamic imports and require read or net permissions depending if
+they're local or remote. Deno will also cache any of these resources. The
+`options` argument is a set of options of type `Deno.CompilerOptions`, which is
+a subset of the TypeScript compiler options containing the ones supported by
+Deno.
 
 An example of providing sources:
 
diff --git a/docs/runtime/workers.md b/docs/runtime/workers.md
index 3c39d2cee..16099a35b 100644
--- a/docs/runtime/workers.md
+++ b/docs/runtime/workers.md
@@ -18,6 +18,49 @@ new Worker("./worker.js");
 new Worker("./worker.js", { type: "classic" });
 ```
 
+### Permissions
+
+Creating a new `Worker` instance is similar to a dynamic import; therefore Deno
+requires appropriate permission for this action.
+
+For workers using local modules; `--allow-read` permission is required:
+
+```ts
+// main.ts
+new Worker("./worker.ts", { type: "module" });
+
+// worker.ts
+console.log("hello world");
+self.close();
+```
+
+```shell
+$ deno run main.ts
+error: Uncaught PermissionDenied: read access to "./worker.ts", run again with the --allow-read flag
+
+$ deno run --allow-read main.ts
+hello world
+```
+
+For workers using remote modules; `--allow-read` permission is required:
+
+```ts
+// main.ts
+new Worker("https://example.com/worker.ts", { type: "module" });
+
+// worker.ts
+console.log("hello world");
+self.close();
+```
+
+```shell
+$ deno run main.ts
+error: Uncaught PermissionDenied: net access to "https://example.com/worker.ts", run again with the --allow-net flag
+
+$ deno run --allow-net main.ts
+hello world
+```
+
 ### Using Deno in worker
 
 > This is an unstable Deno feature. Learn more about