diff options
| -rw-r--r-- | cli/module_graph.rs | 18 | ||||
| -rw-r--r-- | cli/state.rs | 19 | ||||
| -rw-r--r-- | cli/tests/disallow_http_from_https.js | 2 | ||||
| -rw-r--r-- | cli/tests/disallow_http_from_https.ts | 2 | ||||
| -rw-r--r-- | cli/tests/disallow_http_from_https_js.out | 1 | ||||
| -rw-r--r-- | cli/tests/disallow_http_from_https_ts.out | 1 | ||||
| -rw-r--r-- | cli/tests/error_local_static_import_from_remote.js.out | 2 | ||||
| -rw-r--r-- | cli/tests/error_local_static_import_from_remote.ts.out | 2 | ||||
| -rw-r--r-- | cli/tests/integration_tests.rs | 14 |
9 files changed, 57 insertions, 4 deletions
diff --git a/cli/module_graph.rs b/cli/module_graph.rs index 21e575cfd..e03468679 100644 --- a/cli/module_graph.rs +++ b/cli/module_graph.rs @@ -274,6 +274,8 @@ impl ModuleGraphLoader { Ok(()) } + // TODO(bartlomieju): decorate errors with import location in the source code + // https://github.com/denoland/deno/issues/5080 fn download_module( &mut self, module_specifier: ModuleSpecifier, @@ -283,6 +285,18 @@ impl ModuleGraphLoader { return Ok(()); } + // Disallow http:// imports from modules loaded over https:// + if let Some(referrer) = maybe_referrer.as_ref() { + if let "https" = referrer.as_url().scheme() { + if let "http" = module_specifier.as_url().scheme() { + let e = OpError::permission_denied( + "Modules loaded over https:// are not allowed to import modules over http://".to_string() + ); + return Err(e.into()); + }; + }; + }; + if !self.is_dyn_import { // Verify that remote file doesn't try to statically import local file. if let Some(referrer) = maybe_referrer.as_ref() { @@ -293,7 +307,9 @@ impl ModuleGraphLoader { match specifier_url.scheme() { "http" | "https" => {} _ => { - let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string()); + let e = OpError::permission_denied( + "Remote modules are not allowed to statically import local modules. Use dynamic import instead.".to_string() + ); return Err(e.into()); } } diff --git a/cli/state.rs b/cli/state.rs index 71699f382..4306cf102 100644 --- a/cli/state.rs +++ b/cli/state.rs @@ -279,6 +279,21 @@ impl ModuleLoader for State { is_dyn_import: bool, ) -> Pin<Box<deno_core::ModuleSourceFuture>> { let module_specifier = module_specifier.clone(); + + // TODO(bartlomieju): this code is duplicated from module_graph. + // It should be removed when `prepare_load` will be used to load modules. + // Disallow http:// imports from modules loaded over https:// + if let Some(referrer) = maybe_referrer.as_ref() { + if let "https" = referrer.as_url().scheme() { + if let "http" = module_specifier.as_url().scheme() { + let e = OpError::permission_denied( + "Modules loaded over https:// are not allowed to import modules over http://".to_string() + ); + return async move { Err(e.into()) }.boxed_local(); + } + } + } + if is_dyn_import { if let Err(e) = self.check_dyn_import(&module_specifier) { return async move { Err(e.into()) }.boxed_local(); @@ -293,7 +308,9 @@ impl ModuleLoader for State { match specifier_url.scheme() { "http" | "https" => {} _ => { - let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string()); + let e = OpError::permission_denied( + "Remote modules are not allowed to statically import local modules. Use dynamic import instead.".to_string() + ); return async move { Err(e.into()) }.boxed_local(); } } diff --git a/cli/tests/disallow_http_from_https.js b/cli/tests/disallow_http_from_https.js new file mode 100644 index 000000000..fd30a023d --- /dev/null +++ b/cli/tests/disallow_http_from_https.js @@ -0,0 +1,2 @@ +// Trying to import "http://", while this file is accessed by "https://" +import "http://localhost:4545/cli/tests/001_hello.js"; diff --git a/cli/tests/disallow_http_from_https.ts b/cli/tests/disallow_http_from_https.ts new file mode 100644 index 000000000..fd30a023d --- /dev/null +++ b/cli/tests/disallow_http_from_https.ts @@ -0,0 +1,2 @@ +// Trying to import "http://", while this file is accessed by "https://" +import "http://localhost:4545/cli/tests/001_hello.js"; diff --git a/cli/tests/disallow_http_from_https_js.out b/cli/tests/disallow_http_from_https_js.out new file mode 100644 index 000000000..7b71cb6bf --- /dev/null +++ b/cli/tests/disallow_http_from_https_js.out @@ -0,0 +1 @@ +error: Modules loaded over https:// are not allowed to import modules over http:// diff --git a/cli/tests/disallow_http_from_https_ts.out b/cli/tests/disallow_http_from_https_ts.out new file mode 100644 index 000000000..7b71cb6bf --- /dev/null +++ b/cli/tests/disallow_http_from_https_ts.out @@ -0,0 +1 @@ +error: Modules loaded over https:// are not allowed to import modules over http:// diff --git a/cli/tests/error_local_static_import_from_remote.js.out b/cli/tests/error_local_static_import_from_remote.js.out index 4e6a9d4e7..c3fda1274 100644 --- a/cli/tests/error_local_static_import_from_remote.js.out +++ b/cli/tests/error_local_static_import_from_remote.js.out @@ -1,2 +1,2 @@ [WILDCARD] -error: Remote module are not allowed to statically import local modules. Use dynamic import instead. +error: Remote modules are not allowed to statically import local modules. Use dynamic import instead. diff --git a/cli/tests/error_local_static_import_from_remote.ts.out b/cli/tests/error_local_static_import_from_remote.ts.out index 4e6a9d4e7..c3fda1274 100644 --- a/cli/tests/error_local_static_import_from_remote.ts.out +++ b/cli/tests/error_local_static_import_from_remote.ts.out @@ -1,2 +1,2 @@ [WILDCARD] -error: Remote module are not allowed to statically import local modules. Use dynamic import instead. +error: Remote modules are not allowed to statically import local modules. Use dynamic import instead. diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs index de894f064..cec081ea6 100644 --- a/cli/tests/integration_tests.rs +++ b/cli/tests/integration_tests.rs @@ -1686,6 +1686,20 @@ itest_ignore!(cafile_info { http_server: true, }); +itest!(disallow_http_from_https_js { + args: "run --quiet --reload --cert tls/RootCA.pem https://localhost:5545/cli/tests/disallow_http_from_https.js", + output: "disallow_http_from_https_js.out", + http_server: true, + exit_code: 1, +}); + +itest!(disallow_http_from_https_ts { + args: "run --quiet --reload --cert tls/RootCA.pem https://localhost:5545/cli/tests/disallow_http_from_https.ts", + output: "disallow_http_from_https_ts.out", + http_server: true, + exit_code: 1, +}); + itest!(fix_js_import_js { args: "run --quiet --reload fix_js_import_js.ts", output: "fix_js_import_js.ts.out", |