Correct SecurityManager check for HTTP(S) module URIs (#1463)

2026-03-23 17:41:10 +01:00 · 2026-03-23 07:43:07 -07:00
parent a6db476c70
commit cce84d7ccc
2 changed files with 25 additions and 1 deletions
--- a/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
+++ b/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
@@ -519,6 +519,7 @@ public final class ModuleKeys {
    @Override
    public ResolvedModuleKey resolve(SecurityManager securityManager)
        throws IOException, SecurityManagerException {
+      securityManager.checkResolveModule(uri);
      var httpClient = VmContext.get(null).getHttpClient();
      var request = HttpRequest.newBuilder(uri).build();
      var response = httpClient.send(request, BodyHandlers.ofInputStream());
--- a/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
+++ b/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
+ * Copyright © 2024-2026 Apple Inc. and the Pkl project authors. All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import java.net.MalformedURLException
 import java.net.URI
 import java.net.URISyntaxException
 import java.nio.file.Path
+import java.util.regex.Pattern
 import kotlin.io.path.createFile
 import kotlin.io.path.createParentDirectories
 import org.assertj.core.api.Assertions.assertThat
@@ -28,6 +29,7 @@ import org.junit.jupiter.api.assertThrows
 import org.junit.jupiter.api.io.TempDir
 import org.pkl.commons.toPath
 import org.pkl.commons.writeString
+import org.pkl.core.SecurityManagerException
 import org.pkl.core.SecurityManagers

 class ModuleKeysTest {
@@ -207,6 +209,27 @@ class ModuleKeysTest {
    assertThat(e).hasMessageContaining("Package URIs must have a path component")
  }

+  @Test
+  fun `http - resolve obeys allowed modules`() {
+    val uri = URI("https://apple.com/some/foo.pkl")
+    val key = ModuleKeys.genericUrl(uri)
+
+    assertThat(key.uri).isEqualTo(uri)
+    assertThat(key.isCached).isTrue
+
+    assertThat(ModuleKeys.isStdLibModule(key)).isFalse
+    assertThat(ModuleKeys.isBaseModule(key)).isFalse
+
+    assertThrows<SecurityManagerException> {
+      key.resolve(
+        with(SecurityManagers.standardBuilder()) {
+          setAllowedModules(listOf(Pattern.compile("repl:"), Pattern.compile("file:")))
+          build()
+        }
+      )
+    }
+  }
+
  @Test
  fun `generic URL`() {
    val uri = URI("https://apple.com/some/foo.pkl")