Fix error message when reading a resource/module past root dir (#1234)

2026-04-23 00:38:37 +02:00 · 2025-10-09 10:16:33 -07:00
parent 3a29ea8998
commit 42dcad25c6
4 changed files with 43 additions and 30 deletions
--- a/pkl-core/src/main/java/org/pkl/core/SecurityManagers.java
+++ b/pkl-core/src/main/java/org/pkl/core/SecurityManagers.java
@@ -145,17 +145,17 @@ public final class SecurityManagers {

    @Override
    public void checkResolveModule(URI uri) throws SecurityManagerException {
-      checkRead(uri, allowedModules, "moduleNotInAllowList");
+      checkRead(uri, allowedModules, false);
    }

    @Override
    public void checkResolveResource(URI resource) throws SecurityManagerException {
-      checkRead(resource, allowedResources, "resourceNotInAllowList");
+      checkRead(resource, allowedResources, true);
    }

    @Override
    public void checkReadResource(URI uri) throws SecurityManagerException {
-      checkRead(uri, allowedResources, "resourceNotInAllowList");
+      checkRead(uri, allowedResources, true);
    }

    @Override
@@ -185,21 +185,21 @@ public final class SecurityManagers {
      }
    }

-    private void checkRead(URI uri, List<Pattern> allowedPatterns, String errorMessageKey)
+    private void checkRead(URI uri, List<Pattern> allowedPatterns, boolean isResource)
        throws SecurityManagerException {
      for (var pattern : allowedPatterns) {
        if (pattern.matcher(uri.toString()).lookingAt()) {
-          checkIsUnderRootDir(uri, errorMessageKey);
+          checkIsUnderRootDir(uri, isResource);
          return;
        }
      }

-      var message = ErrorMessages.create(errorMessageKey, uri);
+      var messageKey = isResource ? "resourceNotInAllowList" : "moduleNotInAllowList";
+      var message = ErrorMessages.create(messageKey, uri);
      throw new SecurityManagerException(message);
    }

-    private void checkIsUnderRootDir(URI uri, String errorMessageKey)
-        throws SecurityManagerException {
+    private void checkIsUnderRootDir(URI uri, boolean isResource) throws SecurityManagerException {
      if (!uri.isAbsolute()) {
        throw new AssertionError("Expected absolute URI but got: " + uri);
      }
@@ -220,7 +220,8 @@ public final class SecurityManagers {
      }

      if (!path.startsWith(rootDir)) {
-        var message = ErrorMessages.create(errorMessageKey, uri);
+        var errorMessageKey = isResource ? "resourcePastRootDir" : "modulePastRootDir";
+        var message = ErrorMessages.create(errorMessageKey, uri, rootDir);
        throw new SecurityManagerException(message);
      }
    }
--- a/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties
+++ b/pkl-core/src/main/resources/org/pkl/core/errorMessages.properties
@@ -690,6 +690,12 @@ Refusing to read resource `{0}` because it does not match any entry in the resou
 moduleNotInAllowList=\
 Refusing to load module `{0}` because it does not match any entry in the module allowlist (`--allowed-modules`).

+resourcePastRootDir=\
+Refusing to read resource `{0}` because it is not within the root directory (`--root-dir`).
+
+modulePastRootDir=\
+Refusing to load module `{0}` because it is not within the root directory (`--root-dir`).
+
 insufficientModuleTrustLevel=\
 Refusing to import module `{0}` because importing module `{1}` has an insufficient trust level.