runtime: enforce security host policy for remote fallback fetches

Author: unadlib

packages/runtime/src/embed.ts

@@ -22,21 +22,23 @@ export async function renderPlanInBrowser(
       options.autoPinModuleLoader ??
       options.runtimeOptions?.moduleLoader ??
       new JspmModuleLoader();
+    const security = options.security ?? new DefaultSecurityChecker();
+    security.initialize(options.securityInitialization);
+    const policy = security.getPolicy();
     const runtime =
       options.runtime ??
       new DefaultRuntimeManager({
         moduleLoader,
         ...(options.runtimeOptions ?? {}),
+        allowArbitraryNetwork: policy.allowArbitraryNetwork,
+        allowedNetworkHosts: policy.allowedNetworkHosts,
       });
-    const security = options.security ?? new DefaultSecurityChecker();
 
     const shouldInitializeRuntime =
       options.autoInitializeRuntime !== false || options.runtime === undefined;
     const shouldTerminateRuntime =
       options.autoTerminateRuntime !== false && options.runtime === undefined;
 
-    security.initialize(options.securityInitialization);
-
     if (shouldInitializeRuntime) {
       await runtime.initialize();
     }

packages/runtime/src/manager.ts

@@ -128,6 +128,8 @@ export class DefaultRuntimeManager implements RuntimeManager {
   private readonly remoteFetchRetries: number;
   private readonly remoteFetchBackoffMs: number;
   private readonly remoteFallbackCdnBases: string[];
+  private readonly allowArbitraryNetwork: boolean;
+  private readonly allowedNetworkHosts: Set<string>;
   private readonly browserModuleUrlCache = new Map<string, string>();
   private readonly browserModuleInflight = new Map<string, Promise<string>>();
   private readonly browserBlobUrls = new Set<string>();
@@ -186,6 +188,13 @@ export class DefaultRuntimeManager implements RuntimeManager {
     this.remoteFallbackCdnBases = normalizeFallbackCdnBases(
       options.remoteFallbackCdnBases,
     );
+    this.allowArbitraryNetwork = options.allowArbitraryNetwork ?? true;
+    this.allowedNetworkHosts = new Set(
+      (options.allowedNetworkHosts ?? [])
+        .filter((entry): entry is string => typeof entry === "string")
+        .map((entry) => entry.trim().toLowerCase())
+        .filter((entry) => entry.length > 0),
+    );
   }
 
   async initialize(): Promise<void> {
@@ -635,6 +644,7 @@ export class DefaultRuntimeManager implements RuntimeManager {
           runtimeDiagnostics,
           requireManifest,
         ),
+      isRemoteUrlAllowed: (url) => this.isRemoteUrlAllowed(url),
     });
   }
 
@@ -695,6 +705,29 @@ export class DefaultRuntimeManager implements RuntimeManager {
     return normalizeRuntimeSourceOutput(output);
   }
 
+  private isRemoteUrlAllowed(url: string): boolean {
+    if (this.allowArbitraryNetwork) {
+      return true;
+    }
+
+    if (this.allowedNetworkHosts.size === 0) {
+      return false;
+    }
+
+    let parsedUrl: URL;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      return false;
+    }
+
+    if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+      return false;
+    }
+
+    return this.allowedNetworkHosts.has(parsedUrl.host.toLowerCase());
+  }
+
   private async resolveNode(
     node: RuntimeNode,
     moduleManifest: RuntimeModuleManifest | undefined,

packages/runtime/src/runtime-manager.types.ts

@@ -87,6 +87,8 @@ export interface RuntimeManagerOptions {
   remoteFetchRetries?: number;
   remoteFetchBackoffMs?: number;
   remoteFallbackCdnBases?: string[];
+  allowArbitraryNetwork?: boolean;
+  allowedNetworkHosts?: string[];
 }
 
 export interface RuntimeSourceTranspileInput {

packages/runtime/src/runtime-source-module-loader.ts

@@ -36,6 +36,7 @@ export interface RuntimeSourceModuleLoaderOptions {
     diagnostics: RuntimeDiagnostic[],
     requireManifest?: boolean,
   ) => string;
+  isRemoteUrlAllowed?: (url: string) => boolean;
 }
 
 export class RuntimeSourceModuleLoader {
@@ -59,6 +60,7 @@ export class RuntimeSourceModuleLoader {
     diagnostics: RuntimeDiagnostic[],
     requireManifest?: boolean,
   ) => string;
+  private readonly isRemoteUrlAllowedFn: (url: string) => boolean;
 
   constructor(options: RuntimeSourceModuleLoaderOptions) {
     this.moduleManifest = options.moduleManifest;
@@ -74,6 +76,7 @@ export class RuntimeSourceModuleLoader {
     this.createInlineModuleUrlFn = options.createInlineModuleUrl;
     this.resolveRuntimeSourceSpecifierFn =
       options.resolveRuntimeSourceSpecifier;
+    this.isRemoteUrlAllowedFn = options.isRemoteUrlAllowed ?? (() => true);
   }
 
   async importSourceModuleFromCode(code: string): Promise<unknown> {
@@ -241,11 +244,18 @@ export class RuntimeSourceModuleLoader {
       throw new Error(`Failed to load module: ${url}`);
     }
 
+    const filteredAttempts = this.filterDisallowedAttempts(attempts);
+    if (filteredAttempts.length === 0) {
+      throw new Error(
+        `Remote module URL is blocked by runtime network policy: ${url}`,
+      );
+    }
+
     const hedgeDelayMs = Math.max(
       50,
       Math.min(300, this.remoteFetchBackoffMs || 100),
     );
-    const fetchTasks = attempts.map((attempt, index) =>
+    const fetchTasks = filteredAttempts.map((attempt, index) =>
       this.fetchRemoteModuleAttemptWithRetries(
         attempt,
         url,
@@ -337,6 +347,24 @@ export class RuntimeSourceModuleLoader {
     }
   }
 
+  private filterDisallowedAttempts(attempts: string[]): string[] {
+    const allowed: string[] = [];
+    for (const attempt of attempts) {
+      if (this.isRemoteUrlAllowedFn(attempt)) {
+        allowed.push(attempt);
+        continue;
+      }
+
+      this.diagnostics.push({
+        level: "warning",
+        code: "RUNTIME_SOURCE_IMPORT_BLOCKED",
+        message: `Blocked remote module URL by runtime network policy: ${attempt}`,
+      });
+    }
+
+    return allowed;
+  }
+
   private errorToMessage(error: unknown): string {
     if (error instanceof Error) {
       return error.message;

tests/runtime.test.ts

@@ -648,6 +648,39 @@ test("renderPlanInBrowser rejects plan when security policy fails", async () =>
   );
 });
 
+test("renderPlanInBrowser binds default runtime network policy to security policy", async () => {
+  const plan: RuntimePlan = {
+    specVersion: DEFAULT_RUNTIME_PLAN_SPEC_VERSION,
+    id: "embed_runtime_security_network_policy",
+    version: 1,
+    root: createElementNode("section", undefined, [createTextNode("ok")]),
+    capabilities: {
+      domWrite: true,
+    },
+  };
+
+  const result = await renderPlanInBrowser(plan, {
+    runtimeOptions: {
+      browserSourceSandboxMode: "none",
+      remoteFallbackCdnBases: ["https://esm.sh"],
+    },
+    securityInitialization: {
+      profile: "strict",
+    },
+  });
+
+  const runtime = result.runtime as unknown as {
+    allowArbitraryNetwork?: boolean;
+    allowedNetworkHosts?: Set<string>;
+  };
+
+  assert.equal(runtime.allowArbitraryNetwork, false);
+  assert.deepEqual(
+    [...(runtime.allowedNetworkHosts ?? new Set<string>())].sort(),
+    ["cdn.jspm.io", "ga.jspm.io"],
+  );
+});
+
 test("renderPlanInBrowser serializes concurrent renders for the same target", async () => {
   const planA: RuntimePlan = {
     specVersion: DEFAULT_RUNTIME_PLAN_SPEC_VERSION,
@@ -719,6 +752,10 @@ test("renderPlanInBrowser serializes concurrent renders for the same target", as
 
   const security = {
     initialize: () => {},
+    getPolicy: () => ({
+      allowArbitraryNetwork: true,
+      allowedNetworkHosts: [],
+    }),
     checkPlan: () => ({
       safe: true,
       issues: [],
@@ -1651,6 +1688,80 @@ test("runtime source loader hedges fallback CDN requests", async () => {
   }
 });
 
+test("runtime source loader skips fallback URLs blocked by network policy", async () => {
+  const runtime = new DefaultRuntimeManager({
+    remoteFallbackCdnBases: ["https://esm.sh"],
+    remoteFetchRetries: 0,
+    remoteFetchBackoffMs: 10,
+    remoteFetchTimeoutMs: 1200,
+    allowArbitraryNetwork: false,
+    allowedNetworkHosts: ["ga.jspm.io", "cdn.jspm.io"],
+  });
+
+  const diagnostics: Array<{ code?: string; message?: string }> = [];
+  const loader = (
+    runtime as unknown as {
+      createSourceModuleLoader: (
+        moduleManifest: RuntimeModuleManifest | undefined,
+        diagnostics: Array<{ code?: string; message?: string }>,
+      ) => {
+        fetchRemoteModuleCodeWithFallback(
+          url: string,
+        ): Promise<{ requestUrl: string }>;
+      };
+    }
+  ).createSourceModuleLoader(undefined, diagnostics);
+
+  const requestedUrls: string[] = [];
+  const originalFetch = globalThis.fetch;
+  globalThis.fetch = (async (input: RequestInfo | URL) => {
+    const requestUrl = String(input);
+    requestedUrls.push(requestUrl);
+
+    if (requestUrl.startsWith("https://ga.jspm.io/")) {
+      return new Response("slow-failure", { status: 503 });
+    }
+
+    if (requestUrl.startsWith("https://esm.sh/")) {
+      return new Response("export default 1;", {
+        status: 200,
+        headers: {
+          "content-type": "text/javascript; charset=utf-8",
+        },
+      });
+    }
+
+    return new Response("not-found", { status: 404 });
+  }) as typeof fetch;
+
+  try {
+    await assert.rejects(
+      loader.fetchRemoteModuleCodeWithFallback(
+        "https://ga.jspm.io/npm:lit@3.3.0/index.js",
+      ),
+    );
+
+    assert.ok(
+      requestedUrls.some((url) => url.startsWith("https://ga.jspm.io/")),
+      "expected primary JSPM URL to be requested",
+    );
+    assert.equal(
+      requestedUrls.some((url) => url.startsWith("https://esm.sh/")),
+      false,
+      "did not expect blocked fallback host to be requested",
+    );
+    assert.ok(
+      diagnostics.some(
+        (item) =>
+          item.code === "RUNTIME_SOURCE_IMPORT_BLOCKED" &&
+          item.message?.includes("https://esm.sh/"),
+      ),
+    );
+  } finally {
+    globalThis.fetch = originalFetch;
+  }
+});
+
 test("runtime source loader supports disabling fallback cdn attempts", async () => {
   const runtime = new DefaultRuntimeManager({
     remoteFallbackCdnBases: [],