starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-04-22 16:28:34 +02:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity

Correct SecurityManager check for HTTP(S) module URIs (#1463)

Browse Source
This commit is contained in:
Jen Basch
2026-03-23 07:43:07 -07:00
parent 4f33a7e521
commit 3bdadb0bcd
2 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
View File

@@ -519,6 +519,7 @@ public final class ModuleKeys {
@Override @Override
public ResolvedModuleKey resolve(SecurityManager securityManager) public ResolvedModuleKey resolve(SecurityManager securityManager)
throws IOException, SecurityManagerException { throws IOException, SecurityManagerException {
securityManager.checkResolveModule(uri);
var httpClient = VmContext.get(null).getHttpClient(); var httpClient = VmContext.get(null).getHttpClient();
var request = HttpRequest.newBuilder(uri).build(); var request = HttpRequest.newBuilder(uri).build();
var response = httpClient.send(request, BodyHandlers.ofInputStream()); var response = httpClient.send(request, BodyHandlers.ofInputStream());

25
pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved. * Copyright © 2024-2026 Apple Inc. and the Pkl project authors. All rights reserved.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import java.net.MalformedURLException
import java.net.URI import java.net.URI
import java.net.URISyntaxException import java.net.URISyntaxException
import java.nio.file.Path import java.nio.file.Path
import java.util.regex.Pattern
import kotlin.io.path.createFile import kotlin.io.path.createFile
import kotlin.io.path.createParentDirectories import kotlin.io.path.createParentDirectories
import org.assertj.core.api.Assertions.assertThat import org.assertj.core.api.Assertions.assertThat
@@ -28,6 +29,7 @@ import org.junit.jupiter.api.assertThrows
import org.junit.jupiter.api.io.TempDir import org.junit.jupiter.api.io.TempDir
import org.pkl.commons.toPath import org.pkl.commons.toPath
import org.pkl.commons.writeString import org.pkl.commons.writeString
import org.pkl.core.SecurityManagerException
import org.pkl.core.SecurityManagers import org.pkl.core.SecurityManagers
class ModuleKeysTest { class ModuleKeysTest {
@@ -207,6 +209,27 @@ class ModuleKeysTest {
assertThat(e).hasMessageContaining("Package URIs must have a path component") assertThat(e).hasMessageContaining("Package URIs must have a path component")
} }
@Test
fun `http - resolve obeys allowed modules`() {
val uri = URI("https://apple.com/some/foo.pkl")
val key = ModuleKeys.genericUrl(uri)
assertThat(key.uri).isEqualTo(uri)
assertThat(key.isCached).isTrue
assertThat(ModuleKeys.isStdLibModule(key)).isFalse
assertThat(ModuleKeys.isBaseModule(key)).isFalse
assertThrows<SecurityManagerException> {
key.resolve(
with(SecurityManagers.standardBuilder()) {
setAllowedModules(listOf(Pattern.compile("repl:"), Pattern.compile("file:")))
build()
}
)
}
}
@Test @Test
fun `generic URL`() { fun `generic URL`() {
val uri = URI("https://apple.com/some/foo.pkl") val uri = URI("https://apple.com/some/foo.pkl")