feat: add experimental js_binary(patch_node_esm_loader)

Author: devversion

.gitattributes

@@ -6,5 +6,5 @@ js/private/coverage/coverage.js linguist-generated=true
 js/private/devserver/js_run_devserver.mjs linguist-generated=true
 js/private/watch/aspect_watch_protocol.mjs linguist-generated=true
 js/private/watch/aspect_watch_protocol.d.mts linguist-generated=true
-js/private/node-patches/fs.cjs linguist-generated=true
+js/private/node-patches/fs*.cjs linguist-generated=true
 js/private/js_image_layer.mjs linguist-generated=true

.prettierignore

@@ -6,6 +6,7 @@ examples/**/*-docs.md
 js/private/coverage/coverage.js
 js/private/devserver/js_run_devserver.mjs
 js/private/node-patches/fs.cjs
+js/private/node-patches/fs_stat.cjs
 js/private/watch/aspect_watch_protocol.mjs
 js/private/watch/aspect_watch_protocol.d.mts
 min/

docs/js_binary.md

@@ -205,6 +205,13 @@ _ATTRS = {
         which can lead to non-hermetic behavior.""",
         default = True,
     ),
+    "patch_node_esm_loader": attr.bool(
+        doc = """Apply the internal lstat patch to prevent the program from following symlinks out of
+        the execroot, runfiles and the sandbox even when using the ESM loader.
+
+        This flag only has an effect when `patch_node_fs` is True.""",
+        default = False,
+    ),
     "include_sources": attr.bool(
         doc = """When True, `sources` from `JsInfo` providers in `data` targets are included in the runfiles of the target.""",
         default = True,
@@ -320,7 +327,10 @@ _ATTRS = {
     "_windows_constraint": attr.label(default = "@platforms//os:windows"),
     "_node_patches_files": attr.label_list(
         allow_files = True,
-        default = [Label("@aspect_rules_js//js/private/node-patches:fs.cjs")],
+        default = [
+            Label("@aspect_rules_js//js/private/node-patches:fs.cjs"),
+            Label("@aspect_rules_js//js/private/node-patches:fs_stat.cjs"),
+        ],
     ),
     "_node_patches": attr.label(
         allow_single_file = True,
@@ -391,6 +401,8 @@ def _bash_launcher(ctx, nodeinfo, entry_point_path, log_prefix_rule_set, log_pre
     if ctx.attr.patch_node_fs:
         # Set patch node fs API env if not already set to allow js_run_binary to override
         envs.append(_ENV_SET_IFF_NOT_SET.format(var = "JS_BINARY__PATCH_NODE_FS", value = "1"))
+        if ctx.attr.patch_node_esm_loader:
+            envs.append(_ENV_SET_IFF_NOT_SET.format(var = "JS_BINARY__PATCH_NODE_ESM_LOADER", value = "1"))
 
     if ctx.attr.expected_exit_code:
         envs.append(_ENV_SET.format(

docs/js_run_binary.md

@@ -43,6 +43,7 @@ def js_run_binary(
         execution_requirements = None,
         stamp = 0,
         patch_node_fs = True,
+        patch_node_esm_loader = False,
         allow_execroot_entry_point_with_no_copy_data_to_bin = False,
         use_default_shell_env = None,
         **kwargs):
@@ -224,6 +225,8 @@ def js_run_binary(
             When disabled, node programs can leave the execroot, runfiles and sandbox by following symlinks
             which can lead to non-hermetic behavior.
 
+        patch_node_esm_loader: additionally patch the Node.js ESM loader
+
         allow_execroot_entry_point_with_no_copy_data_to_bin: Turn off validation that the `js_binary` tool
             has `copy_data_to_bin` set to True when `use_execroot_entry_point` is set to True.
 
@@ -337,6 +340,11 @@ WARNING: js_library 'include_declarations' is deprecated. Use 'include_types' in
     # Disable node patches if requested
     if patch_node_fs:
         fixed_env["JS_BINARY__PATCH_NODE_FS"] = "1"
+
+        if patch_node_esm_loader:
+            fixed_env["JS_BINARY__PATCH_NODE_ESM_LOADER"] = "1"
+        else:
+            fixed_env["JS_BINARY__PATCH_NODE_ESM_LOADER"] = "0"
     else:
         # Set explicitly to "0" so disable overrides any enable in the js_binary
         fixed_env["JS_BINARY__PATCH_NODE_FS"] = "0"