Version
20.15.1 (LTS) up to 22.5.1
Platform
Darwin Boriss-MacBook-Pro.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:24 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T6000 arm64
Subsystem
No response
What steps will reproduce the bug?
Minimal reproducible scenario:
// test.mjs
function codeToUrl(code) {
return `data:text/javascript;base64,${btoa(unescape(encodeURIComponent(code)))}`;
}
const code1 = `console.log("Hello")`;
const code2 = `
await import("${codeToUrl(code1)}");
`
await import(codeToUrl(code2));Running this without --experimental-network-imports works fine (and is expected).
However, adding --experimental-network-imports throws ERR_NETWORK_IMPORT_DISALLOWED even though no network import occurs.
$ node --experimental-network-imports test.mjs
(node:70234) ExperimentalWarning: Network Imports is an experimental feature and might change at any time
(Use `node --trace-warnings ...` to show where the warning was created)
node:internal/modules/esm/resolve:1114
throw new ERR_NETWORK_IMPORT_DISALLOWED(
^
Error [ERR_NETWORK_IMPORT_DISALLOWED]: import of 'data:text/javascript;base64,Y29uc29sZS5sb2coIkhlbGxvIik=' by data:text/javascript;base64,CmF3YWl0IGltcG9ydCgiZGF0YTp0ZXh0L2phdmFzY3JpcHQ7YmFzZTY0LFkyOXVjMjlzWlM1c2IyY29Ja2hsYkd4dklpaz0iKTsK is not supported: import data: from a non file: is not allowedThe issue clearly comes from this code branch which specifically checks for:
data: protocol in the import() statementfile: protocol in the parent module- existence of
--experimental-network-imports
Based on the subsequent branch it seems like importing data: is supposed to be allowed everywhere (of course http: and https: sources being only accepted with the flag), and it looks like the case where data: imports from another data: was overlooked.
How often does it reproduce? Is there a required condition?
Consistently reproducible with the steps described above.
What is the expected behavior? Why is that the expected behavior?
The expectation is that the code snippet works with and without --experimental-network-imports.
What do you see instead?
ERR_NETWORK_IMPORT_DISALLOWED as per above.
Additional information
Importing data: from another data: may not be the most practical use case, but it's rather important from the correctness PoV. I personally don't see any security implications (e.g. as long as there are no relative imports occurring inside data: modules — but this issue here appears to be unrelated to those).
Version
20.15.1 (LTS) up to 22.5.1
Platform
Subsystem
No response
What steps will reproduce the bug?
Minimal reproducible scenario:
Running this without
--experimental-network-importsworks fine (and is expected).However, adding
--experimental-network-importsthrowsERR_NETWORK_IMPORT_DISALLOWEDeven though no network import occurs.The issue clearly comes from this code branch which specifically checks for:
data:protocol in theimport()statementfile:protocol in the parent module--experimental-network-importsBased on the subsequent branch it seems like importing
data:is supposed to be allowed everywhere (of coursehttp:andhttps:sources being only accepted with the flag), and it looks like the case wheredata:imports from anotherdata:was overlooked.How often does it reproduce? Is there a required condition?
Consistently reproducible with the steps described above.
What is the expected behavior? Why is that the expected behavior?
The expectation is that the code snippet works with and without
--experimental-network-imports.What do you see instead?
ERR_NETWORK_IMPORT_DISALLOWEDas per above.Additional information
Importing
data:from anotherdata:may not be the most practical use case, but it's rather important from the correctness PoV. I personally don't see any security implications (e.g. as long as there are no relative imports occurring insidedata:modules — but this issue here appears to be unrelated to those).