-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic import should respect permissions #2764
Conversation
But what about indirect dynamic imports? I think I can still bypass the --allow-read check:
And then I host
That's because only the top-level dynamic import is checked for permissions, and its submodules don't go through the normal import machinery. |
@piscisaureus I believe I've fixed that problem now. See tests/error_016_dynamic_import_permissions2 |
LGTM for this PR, though I do start to think if the capability of importing JSON with static import is also problematic at times. It is totally possible for people to deduce file locations with common system hierarchy (e.g. under I feel like maybe we should also add a |
Eh - this seems too specific and I don't think it's necessary either.
I agree. Certainly this isn't allowed in browsers? I've added an issue for this #2768 |
Definitely. I seems to me it does not matter whether an import is static or dynamic. If you're reading it you need an |
d14112f
to
7f680d0
Compare
7f680d0
to
72d44ee
Compare
self.check_read(&filename)?; | ||
Ok(()) | ||
} | ||
_ => Err(permission_denied()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A "unsupported import url" or something error would be more appropriate here.
Fixes #2761
cc @kevinkassimo