feat: remote module security (#331)

Author: NathanWalker

NativeScript/runtime/DevFlags.h

@@ -1,5 +1,7 @@
 #pragma once
 
+#include <string>
+
 // Centralized development/runtime flags helpers usable across runtime sources.
 // These read from app package.json via Runtime::GetAppConfigValue and other
 // runtime configuration to determine behavior of dev features.
@@ -10,4 +12,17 @@ namespace tns {
 // Controlled by package.json setting: "logScriptLoading": true|false
 bool IsScriptLoadingLogEnabled();
 
+// Security config
+
+// In debug mode (RuntimeConfig.IsDebug): always returns true.
+// checks "security.allowRemoteModules" from nativescript.config.
+bool IsRemoteModulesAllowed();
+
+// "security.remoteModuleAllowlist" array from nativescript.config.
+// If no allowlist is configured but allowRemoteModules is true, all URLs are allowed.
+bool IsRemoteUrlAllowed(const std::string& url);
+
+// Init security configuration
+void InitializeSecurityConfig();
+
 } // namespace tns

NativeScript/runtime/DevFlags.mm

@@ -3,6 +3,8 @@
 #include "DevFlags.h"
 #include "Runtime.h"
 #include "RuntimeConfig.h"
+#include <vector>
+#include <mutex>
 
 namespace tns {
 
@@ -11,4 +13,85 @@ bool IsScriptLoadingLogEnabled() {
   return value ? [value boolValue] : false;
 }
 
+// Security config
+
+static std::once_flag s_securityConfigInitFlag;
+static bool s_allowRemoteModules = false;
+static std::vector<std::string> s_remoteModuleAllowlist;
+
+// Helper to check if a URL starts with a given prefix
+static bool UrlStartsWith(const std::string& url, const std::string& prefix) {
+  if (prefix.size() > url.size()) return false;
+  return url.compare(0, prefix.size(), prefix) == 0;
+}
+
+void InitializeSecurityConfig() {
+  std::call_once(s_securityConfigInitFlag, []() {
+    @autoreleasepool {
+      // Get the security configuration object
+      id securityValue = Runtime::GetAppConfigValue("security");
+      if (!securityValue || ![securityValue isKindOfClass:[NSDictionary class]]) {
+        // No security config: defaults remain (remote modules disabled in production)
+        return;
+      }
+      
+      NSDictionary* security = (NSDictionary*)securityValue;
+      
+      // Check allowRemoteModules
+      id allowRemote = security[@"allowRemoteModules"];
+      if (allowRemote && [allowRemote respondsToSelector:@selector(boolValue)]) {
+        s_allowRemoteModules = [allowRemote boolValue];
+      }
+      
+      // Parse remoteModuleAllowlist
+      id allowlist = security[@"remoteModuleAllowlist"];
+      if (allowlist && [allowlist isKindOfClass:[NSArray class]]) {
+        NSArray* list = (NSArray*)allowlist;
+        for (id item in list) {
+          if ([item isKindOfClass:[NSString class]]) {
+            NSString* str = (NSString*)item;
+            if (str.length > 0) {
+              s_remoteModuleAllowlist.push_back(std::string([str UTF8String]));
+            }
+          }
+        }
+      }
+    }
+  });
+}
+
+bool IsRemoteModulesAllowed() {
+  if (RuntimeConfig.IsDebug) {
+    return true;
+  }
+  
+  InitializeSecurityConfig();
+  return s_allowRemoteModules;
+}
+
+bool IsRemoteUrlAllowed(const std::string& url) {
+  if (RuntimeConfig.IsDebug) {
+    return true;
+  }
+  
+  InitializeSecurityConfig();
+  if (!s_allowRemoteModules) {
+    return false;
+  }
+  
+  // If no allowlist is configured, allow all URLs (user explicitly enabled remote modules)
+  if (s_remoteModuleAllowlist.empty()) {
+    return true;
+  }
+  
+  // Check if URL matches any allowlist prefix
+  for (const std::string& prefix : s_remoteModuleAllowlist) {
+    if (UrlStartsWith(url, prefix)) {
+      return true;
+    }
+  }
+  
+  return false;
+}
+
 } // namespace tns

NativeScript/runtime/HMRSupport.mm

@@ -240,6 +240,16 @@ void InitializeImportMetaHot(v8::Isolate* isolate,
 }
 
 bool HttpFetchText(const std::string& url, std::string& out, std::string& contentType, int& status) {
+  // Security gate: check if remote module loading is allowed before any HTTP fetch.
+  // This is the single point of enforcement for all HTTP module loading.
+  if (!IsRemoteUrlAllowed(url)) {
+    status = 403; // Forbidden
+    if (IsScriptLoadingLogEnabled()) {
+      Log(@"[http-esm][security][blocked] %s", url.c_str());
+    }
+    return false;
+  }
+  
   @autoreleasepool {
     NSURL* u = [NSURL URLWithString:[NSString stringWithUTF8String:url.c_str()]];
     if (!u) { status = 0; return false; }

NativeScript/runtime/ModuleInternalCallbacks.mm

@@ -96,8 +96,6 @@ static inline bool EndsWith(const std::string& value, const std::string& suffix)
   return std::equal(suffix.rbegin(), suffix.rend(), value.rbegin());
 }
 
-// Dev-only HTTP ESM loader helpers
-
 static inline bool StartsWith(const std::string& s, const char* prefix) {
   size_t n = strlen(prefix);
   return s.size() >= n && s.compare(0, n, prefix) == 0;
@@ -725,7 +723,8 @@ static bool IsDocumentsPath(const std::string& path) {
 
   // ── Early absolute-HTTP fast path ─────────────────────────────
   // If the specifier itself is an absolute HTTP(S) URL, resolve it immediately via
-  // the HTTP dev loader and return before any filesystem candidate logic runs.
+  // the HTTP loader and return before any filesystem candidate logic runs.
+  // Security: HttpFetchText gates remote module access centrally.
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
     std::string key = CanonicalizeHttpUrlKey(spec);
     // Added instrumentation for unified phase logging
@@ -825,6 +824,7 @@ static bool IsDocumentsPath(const std::string& path) {
   // ("./" or "../") or root-absolute ("/") specifiers should resolve against the
   // referrer's URL, not the local filesystem. Mirror browser behavior by using NSURL
   // to construct the absolute URL, then return an HTTP-loaded module immediately.
+  // Security: HttpFetchText gates remote module access centrally.
   bool referrerIsHttp = (!referrerPath.empty() && (StartsWith(referrerPath, "http://") || StartsWith(referrerPath, "https://")));
   bool specIsRootAbs = !spec.empty() && spec[0] == '/';
   if (referrerIsHttp && (specIsRelative || specIsRootAbs)) {
@@ -845,6 +845,7 @@ static bool IsDocumentsPath(const std::string& path) {
       }
     }
     if (!resolvedHttp.empty() && (StartsWith(resolvedHttp, "http://") || StartsWith(resolvedHttp, "https://"))) {
+      // Security: HttpFetchText gates remote module access centrally.
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[resolver][http-rel] base=%s spec=%s -> %s", referrerPath.c_str(), spec.c_str(), resolvedHttp.c_str());
       }
@@ -1009,6 +1010,7 @@ static bool IsDocumentsPath(const std::string& path) {
   std::string absPath;
 
   // If the specifier is an HTTP(S) URL, fetch via HTTP loader and return
+  // Security: HttpFetchText gates remote module access centrally.
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
     std::string key = CanonicalizeHttpUrlKey(spec);
     if (IsScriptLoadingLogEnabled()) {
@@ -1095,6 +1097,7 @@ static bool IsDocumentsPath(const std::string& path) {
 
     // If a candidate accidentally embeds a collapsed HTTP URL like '/app/http:/host/...',
     // reconstruct the HTTP URL and resolve via the HTTP loader instead of touching the filesystem.
+    // Security: HttpFetchText gates remote module access centrally.
     auto rerouteHttpIfEmbedded = [&](const std::string& p) -> bool {
       size_t pos1 = p.find("/http:/");
       size_t pos2 = p.find("/https:/");
@@ -1108,6 +1111,7 @@ static bool IsDocumentsPath(const std::string& path) {
         tail.insert(6, "/");
       }
       if (!(StartsWith(tail, "http://") || StartsWith(tail, "https://"))) return false;
+      
       if (IsScriptLoadingLogEnabled()) { Log(@"[resolver][http-embedded] %s -> %s", p.c_str(), tail.c_str()); }
       std::string key = CanonicalizeHttpUrlKey(tail);
       auto itExisting = g_moduleRegistry.find(key);
@@ -1912,6 +1916,7 @@ static bool IsDocumentsPath(const std::string& path) {
     }
 
     // If spec is an HTTP(S) URL, try HTTP fetch+compile directly
+    // Security: HttpFetchText gates remote module access centrally.
     if (!normalizedSpec.empty() && (StartsWith(normalizedSpec, "http://") || StartsWith(normalizedSpec, "https://"))) {
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[dyn-import][http-loader] trying URL %s", normalizedSpec.c_str());

TestRunner/app/package.json

@@ -1,3 +1,11 @@
 {
-    "main": "index"
+    "main": "index",
+    "security": {
+        "allowRemoteModules": true,
+        "remoteModuleAllowlist": [
+            "https://esm.sh/",
+            "https://cdn.example.com/modules/",
+            "https://unpkg.com/"
+        ]
+    }
 }