fix(fix): Censor spread import

endojs · Aug 7, 2023 · fc90c64 · fc90c64
1 parent ee5961d
commit fc90c64
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/packages/ses/NEWS.md b/packages/ses/NEWS.md
@@ -1,5 +1,13 @@
 User-visible changes in SES:
 
+# Next
+
+- Censors the pattern `{...import(specifier)`}.
+  We previously censored `import(specifier)` and expressly allowed
+  `object.import(specifier)`.
+  The relaxation for the latter form in version 0.13.0 inadvertently allowed
+  import with the spread operator.
+
 # v0.18.5 (2023-07-14)
 
 - Adds `assert.bare` for embedding unquoted strings in details.

diff --git a/packages/ses/src/transforms.js b/packages/ses/src/transforms.js
@@ -106,7 +106,7 @@ export const evadeHtmlCommentTest = src => {
 // /////////////////////////////////////////////////////////////////////////////
 
 const importPattern = new FERAL_REG_EXP(
-  '(^|[^.])\\bimport(\\s*(?:\\(|/[/*]))',
+  '(^|[^.]|\\.\\.\\.)\\bimport(\\s*(?:\\(|/[/*]))',
   'g',
 );
 

diff --git a/packages/ses/test/test-transforms.js b/packages/ses/test/test-transforms.js
@@ -6,7 +6,7 @@ import {
 } from '../src/transforms.js';
 
 test('no-import-expression regexp', t => {
-  t.plan(9);
+  t.plan(14);
 
   // Note: we cannot define these as regular functions (and then stringify)
   // because the 'esm' module loader that we use for running the tests (i.e.
@@ -20,17 +20,23 @@ test('no-import-expression regexp', t => {
   const safe = 'const a = 1';
   const safe2 = "const a = notimport('evil')";
   const safe3 = "const a = importnot('evil')";
+  const safe4 = "const a = compartment.import('name')";
 
   const obvious = "const a = import('evil')";
   const whitespace = "const a = import ('evil')";
   const comment = "const a = import/*hah*/('evil')";
   const doubleSlashComment = "const a = import // hah\n('evil')";
   const newline = "const a = import\n('evil')";
   const multiline = "\nimport('a')\nimport('b')";
+  const spread = "{...import('exfil')}";
+  const spread2 = "{... import('exfil')}";
+  const spread3 = "{\n...\nimport\n('exfil')}";
+  const spread4 = "{\n...\nimport/**/\n('exfil')}";
 
   t.is(rejectImportExpressions(safe), safe, 'safe');
   t.is(rejectImportExpressions(safe2), safe2, 'safe2');
   t.is(rejectImportExpressions(safe3), safe3, 'safe3');
+  t.is(rejectImportExpressions(safe4), safe4, 'safe4');
   t.throws(
     () => rejectImportExpressions(obvious),
     { instanceOf: SyntaxError },
@@ -62,6 +68,26 @@ test('no-import-expression regexp', t => {
     'possible import expression rejected around line 2',
     'multiline',
   );
+  t.throws(
+    () => rejectImportExpressions(spread),
+    { instanceOf: SyntaxError },
+    'spread',
+  );
+  t.throws(
+    () => rejectImportExpressions(spread2),
+    { instanceOf: SyntaxError },
+    'spread2',
+  );
+  t.throws(
+    () => rejectImportExpressions(spread3),
+    { instanceOf: SyntaxError },
+    'spread3',
+  );
+  t.throws(
+    () => rejectImportExpressions(spread4),
+    { instanceOf: SyntaxError },
+    'spread4',
+  );
 });
 
 test('no-html-comment-expression regexp', t => {