build filters files outside the root (#103)

* build filters files outside the root
reverts part of #89

fixes #99

* fix tests and test imports of non-existing files

* more tests but I'm not sure if I'm using this correctly

* Update test/input/bar.js

Co-authored-by: Mike Bostock <[email protected]>

* fix test

* fix test, align signatures

* don’t canReadSync in isLocalPath

* syntax error on non-local file path

---------

Co-authored-by: Mike Bostock <[email protected]>

Author: Fil

src/files.ts

@@ -1,30 +1,14 @@
-import {type Stats, accessSync, constants, statSync} from "node:fs";
+import {type Stats} from "node:fs";
 import {mkdir, readdir, stat} from "node:fs/promises";
 import {dirname, extname, join, normalize, relative} from "node:path";
 import {isNodeError} from "./error.js";
 
-// A file is local if it exists in the root folder or a subfolder.
-export function isLocalFile(ref: string | null, root: string): boolean {
-  return (
-    typeof ref === "string" &&
-    !/^(\w+:)\/\//.test(ref) &&
-    !normalize(ref).startsWith("../") &&
-    canReadSync(join(root, ref))
-  );
-}
-
-export function pathFromRoot(ref: string | null, root: string): string | null {
-  return isLocalFile(ref, root) ? join(root, ref!) : null;
-}
-
-function canReadSync(path: string): boolean {
-  try {
-    accessSync(path, constants.R_OK);
-    return statSync(path).isFile();
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") return false;
-    throw error;
-  }
+// A path is local if it doesn’t go outside the the root.
+export function getLocalPath(sourcePath: string, name: string): string | null {
+  if (/^(\w+:)\/\//.test(name)) return null; // URL
+  const path = join(dirname(sourcePath.startsWith("/") ? sourcePath.slice("/".length) : sourcePath), name);
+  if (path.startsWith("../")) return null; // goes above root
+  return path;
 }
 
 export async function* visitMarkdownFiles(root: string): AsyncGenerator<string> {

src/javascript/features.ts

@@ -1,4 +1,5 @@
 import {simple} from "acorn-walk";
+import {getLocalPath} from "../files.js";
 import {type Feature} from "../javascript.js";
 import {isLocalImport} from "./imports.js";
 import {syntaxError} from "./syntaxError.js";
@@ -36,7 +37,13 @@ export function findFeatures(node, root, sourcePath, references, input) {
         throw syntaxError(`${callee.name} requires a single literal string argument`, node, input);
       }
 
-      features.push({type: callee.name, name: getStringLiteralValue(arg)});
+      // Forbid file attachments that are not local paths.
+      const value = getStringLiteralValue(arg);
+      if (callee.name === "FileAttachment" && !getLocalPath(sourcePath, value)) {
+        throw syntaxError(`non-local file path: "${value}"`, node, input);
+      }
+
+      features.push({type: callee.name, name: value});
     }
   });
 

src/markdown.ts

@@ -1,5 +1,5 @@
 import {readFile} from "node:fs/promises";
-import {dirname, join} from "node:path";
+import {join} from "node:path";
 import {type Patch, type PatchItem, getPatch} from "fast-array-diff";
 import equal from "fast-deep-equal";
 import matter from "gray-matter";
@@ -11,7 +11,7 @@ import {type RuleInline} from "markdown-it/lib/parser_inline.js";
 import {type RenderRule, type default as Renderer} from "markdown-it/lib/renderer.js";
 import MarkdownItAnchor from "markdown-it-anchor";
 import mime from "mime";
-import {isLocalFile, pathFromRoot} from "./files.js";
+import {getLocalPath} from "./files.js";
 import {computeHash} from "./hash.js";
 import {type FileReference, type ImportReference, type Transpile, transpileJavaScript} from "./javascript.js";
 import {transpileTag} from "./tag.js";
@@ -322,8 +322,8 @@ function normalizePieceHtml(html: string, root: string, sourcePath: string, cont
   const {document} = parseHTML(html);
   for (const element of document.querySelectorAll("link[href]") as any as Iterable<Element>) {
     const href = element.getAttribute("href")!;
-    const path = join(dirname(sourcePath), href);
-    if (isLocalFile(path, root)) {
+    const path = getLocalPath(sourcePath, href);
+    if (path) {
       context.files.push({name: href, mimeType: mime.getType(href)});
       element.setAttribute("href", `/_file/${path}`);
     }
@@ -463,6 +463,6 @@ export function diffMarkdown({parse: prevParse}: ReadMarkdownResult, {parse: nex
 }
 
 export async function readMarkdown(path: string, root: string): Promise<ReadMarkdownResult> {
-  const contents = await readFile(pathFromRoot(path, root)!, "utf-8");
+  const contents = await readFile(join(root, path), "utf-8");
   return {contents, parse: parseMarkdown(contents, root, path), hash: computeHash(contents)};
 }

src/preview.ts

@@ -260,7 +260,7 @@ function handleWatch(socket: WebSocket, options: {root: string; resolver: CellRe
           let {path} = message;
           if (!(path = normalize(path)).startsWith("/")) throw new Error("Invalid path: " + path);
           if (path.endsWith("/")) path += "index";
-          path = path.slice("/".length) + ".md";
+          path += ".md";
           markdownWatcher = watch(join(root, path), await refreshMarkdown(path));
           break;
         }

test/input/bar.js

@@ -0,0 +1 @@
+const bar = Symbol("bar");

test/input/dynamic-import-noent.js

@@ -0,0 +1 @@
+const foo = await import("./noent.js");

test/input/fetch-parent-dir.md

@@ -0,0 +1,36 @@
+# Parent dir
+
+Trying to fetch from the parent directory should fail.
+
+```js
+const fail1 = fetch("../NOENT.md").then(d => d.text())
+```
+
+```js
+const fail2 = FileAttachment("../NOENT.md").text()
+```
+
+```js
+const fail3 = fetch("../README.md").then(d => d.text())
+```
+
+```js
+const fail4 = FileAttachment("../README.md").text()
+```
+
+```js
+const fail5 = fetch("./NOENT.md").then(d => d.text())
+```
+
+```js
+const fail6 = FileAttachment("./NOENT.md").text()
+```
+
+```js
+const ok1 = fetch("./tex-expression.md").then(d => d.text())
+```
+
+```js
+const ok2 = FileAttachment("./tex-expression.md").text()
+```
+

test/input/static-import-noent.js

@@ -0,0 +1,3 @@
+import {foo} from "./noent.js";
+
+display(foo);

test/output/bar.js

@@ -0,0 +1,4 @@
+define({id: "0", outputs: ["bar"], body: () => {
+const bar = Symbol("bar");
+return {bar};
+}});

test/output/dynamic-import-noent.js

@@ -0,0 +1,4 @@
+define({id: "0", outputs: ["foo"], body: async () => {
+const foo = await import("/_import/noent.js");
+return {foo};
+}});