Don't allow import to escape the subtree of a script
dlespiau opened this issue · comments
Damien commented
We don't want jk scripts to be able to load arbitrary files on the system. That would allow to break hermeticity a bit too easily.
Michael Bridgen commented
There are now two guards against this:
- modules are loaded from virtual file systems, so paths outside the root are not accessible
- any import path beginning with
./
or../
is resolved by the RelativeImporter, which looks only in the virtual file system of the importing module