Restrict access to pm API in external packages (#1087)

appurva21 · web-flow · commit 05ff37067d3d · 2025-04-28T19:53:48.000+05:30
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,8 @@
+unreleased:
+  fixed bugs:
+    - GH-1087 Restrict access to `pm` API in external packages
+    - GH-1086 Revert deprecation warnings for legacy packages
+
 6.1.0:
   date: 2025-03-27
   new features:
diff --git a/lib/sandbox/pm-require.js b/lib/sandbox/pm-require.js
@@ -4,7 +4,13 @@ const { LEGACY_GLOBS } = require('./postman-legacy-interface'),
     MODULE_WRAPPER = [
         '((exports, module) => {\n',
         `\n})(${MODULE_KEY}.exports, ${MODULE_KEY});`
-    ];
+    ],
+    PACKAGE_TYPE_REGEX = /^[^:]+:[^:]+$/,
+
+    // This is used to determine if the package is external or internal.
+    // External packages are those that are not part of the Postman's
+    // Package Library and follow the format `registry:package`.
+    isExternalPackage = (name) => { return PACKAGE_TYPE_REGEX.test(name); };
 
 /**
  * Cache of all files that are available to be required.
@@ -160,7 +166,12 @@ function createPostmanRequire (fileCache, scope) {
         //
         // Why `async` = true?
         //   - We want to allow execution of async code like setTimeout etc.
-        scope.exec(wrappedModule, { async: true, block: LEGACY_GLOBS }, (err) => {
+        scope.exec(wrappedModule, {
+            async: true,
+            block: isExternalPackage(name) ?
+                LEGACY_GLOBS.concat('pm') :
+                LEGACY_GLOBS
+        }, (err) => {
             // Bubble up the error to be caught as execution error
             if (err) {
                 throw new Error(`Error in package '${name}': ${err.message ? err.message : err}`);
diff --git a/test/unit/sandbox-libraries/pm-require.test.js b/test/unit/sandbox-libraries/pm-require.test.js
@@ -595,4 +595,19 @@ describe('sandbox library - pm.require api', function () {
             }
         }, done);
     });
+
+    it('should not have access to pm object for external packages', function (done) {
+        context.execute('const pkg = pm.require(\'npm:pkg1\');', {
+            context: sampleContextData,
+            resolvedPackages: {
+                'npm:pkg1': { data: `
+                    const assert = require('assert');
+                    assert.strictEqual(pm, undefined);
+                ` }
+            }
+        }, function (err) {
+            if (err) { return done(err); }
+            done();
+        });
+    });
 });
