Change in import behavior with custom "resolve" function in 3.9.6

[bespokebob]

If a custom "resolve" function is provided, it seems to be called even if the module is not in the allowed list of external modules. This is a change from previous versions.

const { NodeVM } = require('vm2')

const vm = new NodeVM({
  require: {
    external: ['jose'],
    resolve: require.resolve,
  },
})

vm.run("var jmespath = require('jmespath')", 'vm.js')

In 3.9.5, this code throws VMError [Error]: The module 'jmespath' is not whitelisted in VM. In 3.9.6, it passes without error.

[XmiliaH]

Relative path requires did allow to require any module under options.root circumventing the whitelist altogether. Therefore, the whitelist check was moved to a later point in time.

[bespokebob]

It seems like the check isn't actually being hit now, though. If the custom 'resolve' function returns a path, it isn't validated against the list of external modules. I have to duplicate the check for allowed modules in my custom resolve function to get the expected behavior.

[XmiliaH]

The access check is done when trying to access files through

vm2/lib/resolver.js

Line 153 in 532120d

isPathAllowed(path) {

.

[bespokebob]

I think this line is the culprit:

vm2/lib/resolver-compat.js

Line 291 in 532120d

if (externals) externals.push(new RegExp('^' + escapeRegExp(resolved)));

If the custom resolver returns a path, it gets automatically added to the "external" list. Removing that line restores the previous behavior.

[XmiliaH]

Thanks, I see the problem now.

[XmiliaH]

Would you mind to check if the behavior with #400 is as expected.

[bespokebob]

Would you mind to check if the behavior with #400 is as expected.

#400 fixes the issue for me. The exact error message returned is different, but that's an improvement.

[XmiliaH]

Should be fixed in v3.9.7