node.js resolver may arbitrarily remap modules to different sources #4
Comments
devsnek
changed the title
|
Hosts are always free to not, but it would mean the developer will not be able to rely on these checks (which is what this proposal is about). On the other hand it might be wanted during tests. Import-maps would be another occurence of arbitrary remaping. |
|
Are file types resolved before or after remapping? |
|
@littledan after. asking for ./config.json might be turned into /tmp/config_wrapper.mjs (or a module that isn't even on the filesystem). And to be explicit, this is a feature for node, not a bug/antipattern/security issue. |
|
This is really interesting background. Let's make sure to document it somewhere in the repository. |
That's the whole point of the checks. If I have an Node application that loads JSON over the network, I want to assert that it's actually JSON and not script that could do anything to the user's machine. |
|
@justinfagnani your local code is doing the remapping. if a loader is loaded it can just exfiltrate your harddrive using fs and http. no need to hack your json imports. |
|
Coming back to @devsnek 's original point:
I'd like to conclude: yes. While all hosts are required to support JSON modules using Is this sufficient to close the issue, or are there further aspects to discuss? |
|
I'm closing this issue, per #4 (comment). Hosts are free to provide JSON imports without the attributes that indicates that it must be actually JSON. Please reopen in https://github.com/tc39/proposal-json-modules if you'd prefer to continue the discussion. |
node has loaders which can arbitrarily redirect module resolution, which could then fail these checks. Since this isn't part of node's security model anyway, should this proposal just be optional for hosts to enforce?
The text was updated successfully, but these errors were encountered: