sandboxed modules cannot require with dot slash identifiers

[tschaub]

Previously, it was possible to install a "sandboxed" require and require modules that used dot/slash identifiers to require other modules.

E.g.

main.js

try {
    var success = require("dot-relative/main").success;
    print("Success: " + success);
} catch (err) {
    print("Failed: " + err.message);
}

dot-relative/main.js

// ./sub/main is within the sandbox, right?
exports.success = require("./sub/main").success;

dot-relative/sub/main.js

exports.success = true;

At 2442919:

$ java -jar js.jar -modules . -sandbox main.js 
Failed: Module "dot-relative/sub/main" is not contained in sandbox.

[tschaub]

I've added a test to my fork that demonstrates the same issue.

[tschaub]

It's very possible that I don't understand what "sandboxed" is supposed to mean, but here's what things look like to me. If a module uses an identifier that doesn't start with a dot to require another module, that required module is considered sandboxed. If a module uses an identifier that does start with a dot to require another, that required module is not considered sandboxed, and it can no longer require any other modules if require was installed with sandboxed true - when an id starts with a dot, the moduleUri is non-null and the resulting module is created with a null base which means that isSandboxed returns false.

Is sandboxed really supposed to mean that modules can never use relative identifiers to require one another?

[hns]

Fixed by 16f2f34.

Unfortunately I had to change public APIs in commonjs/module again, but this API changed anyway since 1.7R3.

I didn't merge your test case because the testRelativeId test we already have is supposed to cover this. The reason it didn't was that modules were first loaded by absolute ID and only then by relative ID, and the sandbox test is only performed the first time around. I fixed this so the test now triggers the sandbox check.

[tschaub]

Thanks @hns for this change. Sandboxed require is working well for me again.