From 2872b362ff76273d897d75bb8a3ddd5510c182f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= <biwanczuk@gmail.com>
Date: Sat, 2 May 2020 15:51:08 +0200
Subject: BREAKING: disallow static import of local modules from remote modules
 (#5050)

This commit changes module loading logic to disallow statically import
local module (file:// scheme) from remote modules (http://, https://
schemes).
---
 cli/ops/compiler.rs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'cli/ops/compiler.rs')

diff --git a/cli/ops/compiler.rs b/cli/ops/compiler.rs
index 1029070a8..c66b56d43 100644
--- a/cli/ops/compiler.rs
+++ b/cli/ops/compiler.rs
@@ -112,6 +112,24 @@ fn op_fetch_source_files(
         async move {
           let resolved_specifier = ModuleSpecifier::resolve_url(&specifier)
             .expect("Invalid specifier");
+          // TODO(bartlomieju): duplicated from `state.rs::ModuleLoader::load` - deduplicate
+          // Verify that remote file doesn't try to statically import local file.
+          if let Some(referrer) = ref_specifier_.as_ref() {
+            let referrer_url = referrer.as_url();
+            match referrer_url.scheme() {
+              "http" | "https" => {
+                let specifier_url = resolved_specifier.as_url();
+                match specifier_url.scheme() {
+                  "http" | "https" => {},
+                  _ => {
+                    let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                    return Err(e.into());
+                  }
+                }
+              },
+              _ => {}
+            }
+          }
           file_fetcher_
             .fetch_source_file(&resolved_specifier, ref_specifier_)
             .await
-- 
cgit v1.2.3