From cce84d7ccc4eeab0e66a3d1fd4716c64b824e68a Mon Sep 17 00:00:00 2001
From: Jen Basch <jbasch@apple.com>
Date: Mon, 23 Mar 2026 07:43:07 -0700
Subject: [PATCH] Correct SecurityManager check for HTTP(S) module URIs (#1463)

---
 .../java/org/pkl/core/module/ModuleKeys.java  |  1 +
 .../org/pkl/core/module/ModuleKeysTest.kt     | 25 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java b/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
index 61e6946d..8d455037 100644
--- a/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
+++ b/pkl-core/src/main/java/org/pkl/core/module/ModuleKeys.java
@@ -519,6 +519,7 @@ public final class ModuleKeys {
     @Override
     public ResolvedModuleKey resolve(SecurityManager securityManager)
         throws IOException, SecurityManagerException {
+      securityManager.checkResolveModule(uri);
       var httpClient = VmContext.get(null).getHttpClient();
       var request = HttpRequest.newBuilder(uri).build();
       var response = httpClient.send(request, BodyHandlers.ofInputStream());
diff --git a/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt b/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
index 1b9bde21..71029b2c 100644
--- a/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
+++ b/pkl-core/src/test/kotlin/org/pkl/core/module/ModuleKeysTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024-2025 Apple Inc. and the Pkl project authors. All rights reserved.
+ * Copyright © 2024-2026 Apple Inc. and the Pkl project authors. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import java.net.MalformedURLException
 import java.net.URI
 import java.net.URISyntaxException
 import java.nio.file.Path
+import java.util.regex.Pattern
 import kotlin.io.path.createFile
 import kotlin.io.path.createParentDirectories
 import org.assertj.core.api.Assertions.assertThat
@@ -28,6 +29,7 @@ import org.junit.jupiter.api.assertThrows
 import org.junit.jupiter.api.io.TempDir
 import org.pkl.commons.toPath
 import org.pkl.commons.writeString
+import org.pkl.core.SecurityManagerException
 import org.pkl.core.SecurityManagers
 
 class ModuleKeysTest {
@@ -207,6 +209,27 @@ class ModuleKeysTest {
     assertThat(e).hasMessageContaining("Package URIs must have a path component")
   }
 
+  @Test
+  fun `http - resolve obeys allowed modules`() {
+    val uri = URI("https://apple.com/some/foo.pkl")
+    val key = ModuleKeys.genericUrl(uri)
+
+    assertThat(key.uri).isEqualTo(uri)
+    assertThat(key.isCached).isTrue
+
+    assertThat(ModuleKeys.isStdLibModule(key)).isFalse
+    assertThat(ModuleKeys.isBaseModule(key)).isFalse
+
+    assertThrows<SecurityManagerException> {
+      key.resolve(
+        with(SecurityManagers.standardBuilder()) {
+          setAllowedModules(listOf(Pattern.compile("repl:"), Pattern.compile("file:")))
+          build()
+        }
+      )
+    }
+  }
+
   @Test
   fun `generic URL`() {
     val uri = URI("https://apple.com/some/foo.pkl")