BREAKING: disallow static import of local modules from remote modules (#5050)

This commit changes module loading logic to disallow statically import
local module (file:// scheme) from remote modules (http://, https://
schemes).

cli/ops/compiler.rs

@@ -112,6 +112,24 @@ fn op_fetch_source_files(
         async move {
           let resolved_specifier = ModuleSpecifier::resolve_url(&specifier)
             .expect("Invalid specifier");
+          // TODO(bartlomieju): duplicated from `state.rs::ModuleLoader::load` - deduplicate
+          // Verify that remote file doesn't try to statically import local file.
+          if let Some(referrer) = ref_specifier_.as_ref() {
+            let referrer_url = referrer.as_url();
+            match referrer_url.scheme() {
+              "http" | "https" => {
+                let specifier_url = resolved_specifier.as_url();
+                match specifier_url.scheme() {
+                  "http" | "https" => {},
+                  _ => {
+                    let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                    return Err(e.into());
+                  }
+                }
+              },
+              _ => {}
+            }
+          }
           file_fetcher_
             .fetch_source_file(&resolved_specifier, ref_specifier_)
             .await

cli/state.rs

@@ -287,6 +287,24 @@ impl ModuleLoader for State {
       if let Err(e) = self.check_dyn_import(&module_specifier) {
         return async move { Err(e.into()) }.boxed_local();
       }
+    } else {
+      // Verify that remote file doesn't try to statically import local file.
+      if let Some(referrer) = maybe_referrer.as_ref() {
+        let referrer_url = referrer.as_url();
+        match referrer_url.scheme() {
+          "http" | "https" => {
+            let specifier_url = module_specifier.as_url();
+            match specifier_url.scheme() {
+              "http" | "https" => {}
+              _ => {
+                let e = OpError::permission_denied("Remote module are not allowed to statically import local modules. Use dynamic import instead.".to_string());
+                return async move { Err(e.into()) }.boxed_local();
+              }
+            }
+          }
+          _ => {}
+        }
+      }
     }
 
     let mut state = self.borrow_mut();

cli/tests/error_local_static_import_from_remote.js

@@ -0,0 +1 @@
+import "file:///some/dir/file.js";

cli/tests/error_local_static_import_from_remote.js.out

@@ -0,0 +1,2 @@
+[WILDCARD]
+Remote module are not allowed to statically import local modules. Use dynamic import instead.

cli/tests/error_local_static_import_from_remote.ts

@@ -0,0 +1 @@
+import "file:///some/dir/file.ts";

cli/tests/error_local_static_import_from_remote.ts.out

@@ -0,0 +1,9 @@
+[WILDCARD]
+error: Uncaught PermissionDenied: Remote module are not allowed to statically import local modules. Use dynamic import instead.
+    at unwrapResponse ($deno$/ops/dispatch_json.ts:[WILDCARD])
+    at Object.sendAsync ($deno$/ops/dispatch_json.ts:[WILDCARD])
+    at async processImports ($deno$/compiler/imports.ts:[WILDCARD])
+    at async Object.processImports ($deno$/compiler/imports.ts:[WILDCARD])
+    at async compile ([WILDCARD]compiler.ts:[WILDCARD])
+    at async tsCompilerOnMessage ([WILDCARD]compiler.ts:[WILDCARD])
+    at async workerMessageRecvCallback ($deno$/runtime_worker.ts:[WILDCARD])

cli/tests/integration_tests.rs

@@ -1422,6 +1422,22 @@ itest!(error_type_definitions {
   output: "error_type_definitions.ts.out",
 });
 
+itest!(error_local_static_import_from_remote_ts {
+  args: "run --reload http://localhost:4545/cli/tests/error_local_static_import_from_remote.ts",
+  check_stderr: true,
+  exit_code: 1,
+  http_server: true,
+  output: "error_local_static_import_from_remote.ts.out",
+});
+
+itest!(error_local_static_import_from_remote_js {
+  args: "run --reload http://localhost:4545/cli/tests/error_local_static_import_from_remote.js",
+  check_stderr: true,
+  exit_code: 1,
+  http_server: true,
+  output: "error_local_static_import_from_remote.js.out",
+});
+
 // TODO(bartlomieju) Re-enable
 itest_ignore!(error_worker_dynamic {
   args: "run --reload error_worker_dynamic.ts",