Deno should not import remote files without --allow-net flag

[hisorange]

Just experimenting with deno so please excuse my instant misbehave.

But isn't the --allow-net flag's purpose is to encapsuate the process from the network and not let the script access the network without permission?

If this is the case, then we should block imports/require from calling remote urls.

This small snippet allowed me to read and send my secret without net access.

As I seen the --allow-read will block me from reading the filesystem but still the netwoking is available with crafted imports.

[bartlomieju]

--allow-new flag is used to allow Deno to make network requests.

Imports are implicitly allowed and cached in DENO_DIR for subsequent requests.

[hisorange]

Wrongly worded title, but my main concern is simple, I can craft new import urls with secrets hidden in them and respond dummy ts codes without --allow-net flag.

[ry]

Yes, this is a bug. Dynamic import should not be allowed unless --allow-net is specified.

I'm in the process of refactoring how dynamic import works (#975) and will add this constraint in the new implementation.

Duplicate of #712 - let's move the discussion there.