Restrict access to pm API in external packages

appurva21 · appurva21 · commit 363a988500a7 · 2025-04-28T16:56:27.000+05:30
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,8 @@
+unreleased:
+  fixed bugs:
+    - GH-1087 Restrict access to `pm` API in external packages
+    - GH-1086 Revert deprecation warnings for legacy packages
+
 6.1.0:
   date: 2025-03-27
   new features:
diff --git a/lib/sandbox/pm-require.js b/lib/sandbox/pm-require.js
@@ -4,7 +4,13 @@ const { LEGACY_GLOBS } = require('./postman-legacy-interface'),
     MODULE_WRAPPER = [
         '((exports, module) => {\n',
         `\n})(${MODULE_KEY}.exports, ${MODULE_KEY});`
-    ];
+    ],
+    PACKAGE_TYPE_REGEX = /^[^:]+:[^:]+$/,
+
+    // This is used to determine if the package is external or internal.
+    // External packages are those that are not part of the Postman's
+    // Package Library and follow the format `registry:package`.
+    getPackageType = (name) => { return PACKAGE_TYPE_REGEX.test(name) ? 'external' : 'internal'; };
 
 /**
  * Cache of all files that are available to be required.
@@ -135,6 +141,7 @@ function createPostmanRequire (fileCache, scope) {
 
         /* eslint-disable-next-line one-var */
         const file = store.getFileData(path),
+            isExternalPackage = getPackageType(name) === 'external',
             moduleObj = {
                 id: path,
                 exports: {}
@@ -160,7 +167,12 @@ function createPostmanRequire (fileCache, scope) {
         //
         // Why `async` = true?
         //   - We want to allow execution of async code like setTimeout etc.
-        scope.exec(wrappedModule, { async: true, block: LEGACY_GLOBS }, (err) => {
+        scope.exec(wrappedModule, {
+            async: true,
+            block: isExternalPackage ?
+                ['pm', ...LEGACY_GLOBS] :
+                LEGACY_GLOBS
+        }, (err) => {
             // Bubble up the error to be caught as execution error
             if (err) {
                 throw new Error(`Error in package '${name}': ${err.message ? err.message : err}`);
diff --git a/test/unit/sandbox-libraries/pm-require.test.js b/test/unit/sandbox-libraries/pm-require.test.js
@@ -595,4 +595,19 @@ describe('sandbox library - pm.require api', function () {
             }
         }, done);
     });
+
+    it('should not have access to pm object for external packages', function (done) {
+        context.execute('const pkg = pm.require(\'npm:pkg1\');', {
+            context: sampleContextData,
+            resolvedPackages: {
+                'npm:pkg1': { data: `
+                    const assert = require('assert');
+                    assert.strictEqual(pm, undefined);
+                ` }
+            }
+        }, function (err) {
+            if (err) { return done(err); }
+            done();
+        });
+    });
 });
