Get app boundary checking preliminarily working

Author: NullVoxPopuli

ember-classic-import-meta-glob/addon/index.js

@@ -12,6 +12,13 @@ import pico from 'picomatch';
  * @param {string} modulePath file path prefixed with the module name, not CWD
  */
 export function importMetaGlob(glob, options, modulePath) {
+  let ARITY_3 = arguments.length === 3;
+
+  if (typeof options === 'string') {
+    modulePath = options;
+    options = null;
+  }
+
   assert(
     `The first argument to import.meta.glob must be a string`,
     typeof glob === 'string',
@@ -20,14 +27,18 @@ export function importMetaGlob(glob, options, modulePath) {
     `The glob pattern must be a relative path starting with either ./ or ../. Received: ${glob}`,
     glob.startsWith('./') || glob.startsWith('../'),
   );
-  assert(
-    `the second argument to import.meta.glob must be an object`,
-    typeof options === 'object',
-  );
-  assert(
-    `the only supported option is 'eager'. Received: ${Object.keys(options)}`,
-    Object.keys(options).length === 1 && 'eager' in options,
-  );
+
+  if (ARITY_3) {
+    assert(
+      `the second argument to import.meta.glob must be an object. Received: ${typeof options}`,
+      typeof options === 'object',
+    );
+    assert(
+      `the only supported option is 'eager'. Received: ${Object.keys(options)}`,
+      Object.keys(options).length === 1 && 'eager' in options,
+    );
+  }
+
   assert(
     `the third argument to import.meta.glob must be passed and be the module path. This is filled in automatically via the babel plugin. If you're seeing this something has gone wrong with installing the babel plugin`,
     modulePath,
@@ -48,6 +59,12 @@ export function importMetaGlob(glob, options, modulePath) {
   let [, ...reversedParts] = modulePath.split('/').reverse();
   let currentDir = reversedParts.reverse().join('/');
 
+  console.log({ glob, currentDir, modulePath });
+  assert(
+    `not a valid path. Received: '${currentDir}' from '${modulePath}'`,
+    currentDir.length > 0,
+  );
+
   // TODO: drop the extensions, since at runtime, we don't have them.
   let globsArray = Array.isArray(glob) ? glob : [glob];
   let fullGlobs = globsArray.map((g) => {
@@ -56,18 +73,50 @@ export function importMetaGlob(glob, options, modulePath) {
   let isMatch = pico(fullGlobs);
   let matches = allModules.filter(isMatch);
 
-  console.log({ fullGlobs, matches, currentDir });
+  let hasInvalid = fullGlobs.some(isEscapingApp);
 
-  // TODO: assert: cannot escape the app.
-  //       (too many ../../../../)
+  assert(
+    `Cannot have a path that escapes the app. Received: ${glob}`,
+    !hasInvalid,
+  );
 
   let result = {};
 
   for (let match of matches) {
     let key = match.replace(`${currentDir}/`, './');
 
-    result[key] = requirejs(match);
+    if (options?.eager) {
+      result[key] = requirejs(match);
+    } else {
+      // TODO: can we usue a real import if we use app-imports
+      //       from ember-auto-import?
+      result[key] = () => Promise.resolve(requirejs(match));
+    }
   }
 
   return result;
 }
+
+function isEscapingApp(path) {
+  let parts = path.split('/');
+
+  let preUpCount = 0;
+  let upCount = 0;
+
+  for (let part of parts) {
+    if (part === '..') {
+      upCount++;
+      continue;
+    }
+
+    if (upCount > 0) {
+      break;
+    }
+
+    if (part !== '..') {
+      preUpCount++;
+    }
+  }
+
+  return upCount >= preUpCount;
+}

test-app/tests/glob-test/the-test.js

@@ -12,6 +12,7 @@ module('Glob tests', function () {
     assert.strictEqual(appTreeGlob['./from-app/b'].b, 'b1');
     assert.strictEqual(appTreeGlob['./from-app/c'].c, 'c1');
   });
+
   test('works from tests', function (assert) {
     let keys = Object.keys(testTreeGlob);
     assert.deepEqual(keys, [
@@ -25,15 +26,25 @@ module('Glob tests', function () {
   });
 
   test('with no matches', function (assert) {
-    let result = import.meta.glob('/does/not/exist', { eager: true });
+    let result = import.meta.glob('./does/not/exist', { eager: true });
 
-    assert.deepEqual(result, { _: 1 });
+    assert.strictEqual(Object.keys(result).length, 0);
+    assert.deepEqual(result, {});
   });
 
   test('default (async)', async (assert) => {
     let result = import.meta.glob('./from-tests/*');
 
-    assert.deepEqual(result, { './from-tests/a': './' });
+    let keys = Object.keys(result);
+    assert.deepEqual(keys, [
+      './from-tests/a',
+      './from-tests/b',
+      './from-tests/c',
+    ]);
+
+    assert.strictEqual((await result['./from-tests/a']()).a, 'a1');
+    assert.strictEqual((await result['./from-tests/b']()).b, 'b1');
+    assert.strictEqual((await result['./from-tests/c']()).c, 'c1');
   });
 
   module('underlying runtime', function () {
@@ -48,8 +59,22 @@ module('Glob tests', function () {
       module('glob', function () {
         test('errors when trying to escape the app', function (assert) {
           assert.throws(() => {
-            importMetaGlob('../../../something', { eager: true }, 'test-app');
-          }, /123 boop/);
+            importMetaGlob(
+              '../../../something',
+              { eager: true },
+              'test-app/tests/glob-test/the-test',
+            );
+          }, /not a valid path/);
+        });
+
+        test('errors when a sibling path tries to escape the app', function (assert) {
+          assert.throws(() => {
+            importMetaGlob(
+              './from-tests/../../../../something',
+              { eager: true },
+              'test-app/tests/glob-test/the-test',
+            );
+          }, /Cannot have a path that escapes the app/);
         });
 
         test('invalid glob', function (assert) {