feat: remote module security

NathanWalker · NathanWalker · commit 0abc97991447 · 2025-12-26T13:44:38.000-08:00
diff --git a/NativeScript/runtime/DevFlags.h b/NativeScript/runtime/DevFlags.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#include <string>
+
 // Centralized development/runtime flags helpers usable across runtime sources.
 // These read from app package.json via Runtime::GetAppConfigValue and other
 // runtime configuration to determine behavior of dev features.
@@ -10,4 +12,17 @@ namespace tns {
 // Controlled by package.json setting: "logScriptLoading": true|false
 bool IsScriptLoadingLogEnabled();
 
+// Security config
+
+// In debug mode (RuntimeConfig.IsDebug): always returns true.
+// checks "security.allowRemoteModules" from nativescript.config.
+bool IsRemoteModulesAllowed();
+
+// "security.remoteModuleAllowlist" array from nativescript.config.
+// If no allowlist is configured but allowRemoteModules is true, all URLs are allowed.
+bool IsRemoteUrlAllowed(const std::string& url);
+
+// Init security configuration
+void InitializeSecurityConfig();
+
 } // namespace tns
diff --git a/NativeScript/runtime/DevFlags.mm b/NativeScript/runtime/DevFlags.mm
@@ -3,6 +3,8 @@
 #include "DevFlags.h"
 #include "Runtime.h"
 #include "RuntimeConfig.h"
+#include <vector>
+#include <mutex>
 
 namespace tns {
 
@@ -11,4 +13,85 @@ bool IsScriptLoadingLogEnabled() {
   return value ? [value boolValue] : false;
 }
 
+// Security config
+
+static std::once_flag s_securityConfigInitFlag;
+static bool s_allowRemoteModules = false;
+static std::vector<std::string> s_remoteModuleAllowlist;
+
+// Helper to check if a URL starts with a given prefix
+static bool UrlStartsWith(const std::string& url, const std::string& prefix) {
+  if (prefix.size() > url.size()) return false;
+  return url.compare(0, prefix.size(), prefix) == 0;
+}
+
+void InitializeSecurityConfig() {
+  std::call_once(s_securityConfigInitFlag, []() {
+    @autoreleasepool {
+      // Get the security configuration object
+      id securityValue = Runtime::GetAppConfigValue("security");
+      if (!securityValue || ![securityValue isKindOfClass:[NSDictionary class]]) {
+        // No security config: defaults remain (remote modules disabled in production)
+        return;
+      }
+      
+      NSDictionary* security = (NSDictionary*)securityValue;
+      
+      // Check allowRemoteModules
+      id allowRemote = security[@"allowRemoteModules"];
+      if (allowRemote && [allowRemote respondsToSelector:@selector(boolValue)]) {
+        s_allowRemoteModules = [allowRemote boolValue];
+      }
+      
+      // Parse remoteModuleAllowlist
+      id allowlist = security[@"remoteModuleAllowlist"];
+      if (allowlist && [allowlist isKindOfClass:[NSArray class]]) {
+        NSArray* list = (NSArray*)allowlist;
+        for (id item in list) {
+          if ([item isKindOfClass:[NSString class]]) {
+            NSString* str = (NSString*)item;
+            if (str.length > 0) {
+              s_remoteModuleAllowlist.push_back(std::string([str UTF8String]));
+            }
+          }
+        }
+      }
+    }
+  });
+}
+
+bool IsRemoteModulesAllowed() {
+  if (RuntimeConfig.IsDebug) {
+    return true;
+  }
+  
+  InitializeSecurityConfig();
+  return s_allowRemoteModules;
+}
+
+bool IsRemoteUrlAllowed(const std::string& url) {
+  if (RuntimeConfig.IsDebug) {
+    return true;
+  }
+  
+  InitializeSecurityConfig();
+  if (!s_allowRemoteModules) {
+    return false;
+  }
+  
+  // If no allowlist is configured, allow all URLs (user explicitly enabled remote modules)
+  if (s_remoteModuleAllowlist.empty()) {
+    return true;
+  }
+  
+  // Check if URL matches any allowlist prefix
+  for (const std::string& prefix : s_remoteModuleAllowlist) {
+    if (UrlStartsWith(url, prefix)) {
+      return true;
+    }
+  }
+  
+  return false;
+}
+
 } // namespace tns
diff --git a/NativeScript/runtime/ModuleInternalCallbacks.mm b/NativeScript/runtime/ModuleInternalCallbacks.mm
@@ -96,13 +96,28 @@ static inline bool EndsWith(const std::string& value, const std::string& suffix)
   return std::equal(suffix.rbegin(), suffix.rend(), value.rbegin());
 }
 
-// Dev-only HTTP ESM loader helpers
+// HTTP ESM loader helpers
 
 static inline bool StartsWith(const std::string& s, const char* prefix) {
   size_t n = strlen(prefix);
   return s.size() >= n && s.compare(0, n, prefix) == 0;
 }
 
+// Security gate
+// In debug mode, all URLs are allowed. In production, checks security.allowRemoteModules and security.remoteModuleAllowlist
+static inline bool IsHttpUrlAllowedForLoading(const std::string& url) {
+  return IsRemoteUrlAllowed(url);
+}
+
+// Helper to create a security error message for blocked remote modules
+static std::string GetRemoteModuleBlockedMessage(const std::string& url) {
+  if (!IsRemoteModulesAllowed()) {
+    return "Remote ES modules are not allowed in production. URL: " + url +
+           ". Enable via security.allowRemoteModules in nativescript.config";
+  }
+  return "Remote URL not in security.remoteModuleAllowlist: " + url;
+}
+
 
 static v8::MaybeLocal<v8::Module> CompileModuleFromSource(v8::Isolate* isolate, v8::Local<v8::Context> context,
                                                           const std::string& code, const std::string& urlStr) {
@@ -725,8 +740,18 @@ static bool IsDocumentsPath(const std::string& path) {
 
   // ── Early absolute-HTTP fast path ─────────────────────────────
   // If the specifier itself is an absolute HTTP(S) URL, resolve it immediately via
-  // the HTTP dev loader and return before any filesystem candidate logic runs.
+  // the HTTP loader and return before any filesystem candidate logic runs.
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
+    // Security check: block if remote modules not allowed
+    if (!IsHttpUrlAllowedForLoading(spec)) {
+      std::string msg = GetRemoteModuleBlockedMessage(spec);
+      if (IsScriptLoadingLogEnabled()) {
+        Log(@"[resolver][security] blocked remote module: %s", spec.c_str());
+      }
+      isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
+      return v8::MaybeLocal<v8::Module>();
+    }
+    
     std::string key = CanonicalizeHttpUrlKey(spec);
     // Added instrumentation for unified phase logging
     Log(@"[http-esm][compile][begin] %s", key.c_str());
@@ -825,6 +850,7 @@ static bool IsDocumentsPath(const std::string& path) {
   // ("./" or "../") or root-absolute ("/") specifiers should resolve against the
   // referrer's URL, not the local filesystem. Mirror browser behavior by using NSURL
   // to construct the absolute URL, then return an HTTP-loaded module immediately.
+  // Security: Gated by IsHttpUrlAllowedForLoading.
   bool referrerIsHttp = (!referrerPath.empty() && (StartsWith(referrerPath, "http://") || StartsWith(referrerPath, "https://")));
   bool specIsRootAbs = !spec.empty() && spec[0] == '/';
   if (referrerIsHttp && (specIsRelative || specIsRootAbs)) {
@@ -845,6 +871,16 @@ static bool IsDocumentsPath(const std::string& path) {
       }
     }
     if (!resolvedHttp.empty() && (StartsWith(resolvedHttp, "http://") || StartsWith(resolvedHttp, "https://"))) {
+      // Security check: block if remote modules not allowed
+      if (!IsHttpUrlAllowedForLoading(resolvedHttp)) {
+        std::string msg = GetRemoteModuleBlockedMessage(resolvedHttp);
+        if (IsScriptLoadingLogEnabled()) {
+          Log(@"[resolver][security] blocked remote module (rel): %s", resolvedHttp.c_str());
+        }
+        isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
+        return v8::MaybeLocal<v8::Module>();
+      }
+      
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[resolver][http-rel] base=%s spec=%s -> %s", referrerPath.c_str(), spec.c_str(), resolvedHttp.c_str());
       }
@@ -1010,6 +1046,16 @@ static bool IsDocumentsPath(const std::string& path) {
 
   // If the specifier is an HTTP(S) URL, fetch via HTTP loader and return
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
+    // Security check: block if remote modules not allowed
+    if (!IsHttpUrlAllowedForLoading(spec)) {
+      std::string msg = GetRemoteModuleBlockedMessage(spec);
+      if (IsScriptLoadingLogEnabled()) {
+        Log(@"[resolver][security] blocked remote module: %s", spec.c_str());
+      }
+      isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
+      return v8::MaybeLocal<v8::Module>();
+    }
+    
     std::string key = CanonicalizeHttpUrlKey(spec);
     if (IsScriptLoadingLogEnabled()) {
       Log(@"[http-esm][compile][begin] %s", key.c_str());
@@ -1095,6 +1141,7 @@ static bool IsDocumentsPath(const std::string& path) {
 
     // If a candidate accidentally embeds a collapsed HTTP URL like '/app/http:/host/...',
     // reconstruct the HTTP URL and resolve via the HTTP loader instead of touching the filesystem.
+    // Security: Gated by IsHttpUrlAllowedForLoading.
     auto rerouteHttpIfEmbedded = [&](const std::string& p) -> bool {
       size_t pos1 = p.find("/http:/");
       size_t pos2 = p.find("/https:/");
@@ -1108,6 +1155,17 @@ static bool IsDocumentsPath(const std::string& path) {
         tail.insert(6, "/");
       }
       if (!(StartsWith(tail, "http://") || StartsWith(tail, "https://"))) return false;
+      
+      // Security check: block if remote modules not allowed
+      if (!IsHttpUrlAllowedForLoading(tail)) {
+        if (IsScriptLoadingLogEnabled()) {
+          Log(@"[resolver][security] blocked embedded remote module: %s", tail.c_str());
+        }
+        std::string msg = GetRemoteModuleBlockedMessage(tail);
+        isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
+        return false;
+      }
+      
       if (IsScriptLoadingLogEnabled()) { Log(@"[resolver][http-embedded] %s -> %s", p.c_str(), tail.c_str()); }
       std::string key = CanonicalizeHttpUrlKey(tail);
       auto itExisting = g_moduleRegistry.find(key);
@@ -1913,6 +1971,16 @@ static bool IsDocumentsPath(const std::string& path) {
 
     // If spec is an HTTP(S) URL, try HTTP fetch+compile directly
     if (!normalizedSpec.empty() && (StartsWith(normalizedSpec, "http://") || StartsWith(normalizedSpec, "https://"))) {
+      // Security check: block if remote modules not allowed
+      if (!IsHttpUrlAllowedForLoading(normalizedSpec)) {
+        std::string msg = GetRemoteModuleBlockedMessage(normalizedSpec);
+        if (IsScriptLoadingLogEnabled()) {
+          Log(@"[dyn-import][security] blocked remote module: %s", normalizedSpec.c_str());
+        }
+        resolver->Reject(context, v8::Exception::Error(tns::ToV8String(isolate, msg.c_str()))).FromMaybe(false);
+        return scope.Escape(resolver->GetPromise());
+      }
+      
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[dyn-import][http-loader] trying URL %s", normalizedSpec.c_str());
       }
diff --git a/TestRunner/app/package.json b/TestRunner/app/package.json
@@ -1,3 +1,11 @@
 {
-    "main": "index"
+    "main": "index",
+    "security": {
+        "allowRemoteModules": true,
+        "remoteModuleAllowlist": [
+            "https://esm.sh/",
+            "https://cdn.example.com/modules/",
+            "https://unpkg.com/"
+        ]
+    }
 }
diff --git a/TestRunner/app/tests/RemoteModuleSecurityTests.js b/TestRunner/app/tests/RemoteModuleSecurityTests.js
diff --git a/TestRunner/app/tests/index.js b/TestRunner/app/tests/index.js

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,11 @@`
`1`	`1`	`{`
`2`		`- "main": "index"`
	`2`	`+ "main": "index",`
	`3`	`+ "security": {`
	`4`	`+ "allowRemoteModules": true,`
	`5`	`+ "remoteModuleAllowlist": [`
	`6`	`+ "https://esm.sh/",`
	`7`	`+ "https://cdn.example.com/modules/",`
	`8`	`+ "https://unpkg.com/"`
	`9`	`+ ]`
	`10`	`+ }`
`3`	`11`	`}`