Dynamic import should respect permissions (#2764)

cli/state.rs

@@ -4,6 +4,7 @@ use crate::compilers::JsCompiler;
 use crate::compilers::JsonCompiler;
 use crate::compilers::TsCompiler;
 use crate::deno_dir;
+use crate::deno_error::permission_denied;
 use crate::file_fetcher::SourceFileFetcher;
 use crate::flags;
 use crate::global_timer::GlobalTimer;
@@ -119,6 +120,7 @@ impl Loader for ThreadSafeState {
     specifier: &str,
     referrer: &str,
     is_main: bool,
+    is_dyn_import: bool,
   ) -> Result<ModuleSpecifier, ErrBox> {
     if !is_main {
       if let Some(import_map) = &self.import_map {
@@ -128,8 +130,14 @@ impl Loader for ThreadSafeState {
         }
       }
     }
+    let module_specifier =
+      ModuleSpecifier::resolve_import(specifier, referrer)?;
 
-    ModuleSpecifier::resolve_import(specifier, referrer).map_err(ErrBox::from)
+    if is_dyn_import {
+      self.check_dyn_import(&module_specifier)?;
+    }
+
+    Ok(module_specifier)
   }
 
   /// Given an absolute url, load its source code.
@@ -294,7 +302,7 @@ impl ThreadSafeState {
   }
 
   #[inline]
-  pub fn check_net_url(&self, url: url::Url) -> Result<(), ErrBox> {
+  pub fn check_net_url(&self, url: &url::Url) -> Result<(), ErrBox> {
     self.permissions.check_net_url(url)
   }
 
@@ -303,6 +311,30 @@ impl ThreadSafeState {
     self.permissions.check_run()
   }
 
+  pub fn check_dyn_import(
+    self: &Self,
+    module_specifier: &ModuleSpecifier,
+  ) -> Result<(), ErrBox> {
+    let u = module_specifier.as_url();
+    match u.scheme() {
+      "http" | "https" => {
+        self.check_net_url(u)?;
+        Ok(())
+      }
+      "file" => {
+        let filename = u
+          .to_file_path()
+          .unwrap()
+          .into_os_string()
+          .into_string()
+          .unwrap();
+        self.check_read(&filename)?;
+        Ok(())
+      }
+      _ => Err(permission_denied()),
+    }
+  }
+
   #[cfg(test)]
   pub fn mock(argv: Vec<String>) -> ThreadSafeState {
     ThreadSafeState::new(