rules_js icon indicating copy to clipboard operation
rules_js copied to clipboard
verified publisher icon aspect-build

Imports escape sandbox when using --inspect-brk

Open matthewjh opened this issue 3 years ago • 2 comments

When using CJS modules and --inspect-brk , --preserve-symlinks-main is not respected. I opened https://github.com/nodejs/node/issues/44856 on the node project for the underlying issue.

As a result, the basis for module resolutions is taken to be the "realpath" of the entrypoint symlink, rather than the runfiles path. Because these paths fall outside of the fs patch roots, isSubPath(root, linkPath) returns false in the code below, meaning isEscape returns false in all the fs patch methods:

https://github.com/aspect-build/rules_js/blob/main/js/private/node-patches/fs.js#L751

A workaround for this seems particularly important, as having different behaviour when debugging is (for obvious reasons) not helpful. Debugging failed module resolutions becomes almost impossible if everything breaks out when using the debugger.

I wonder whether this could be detected and corrected inside the fs patch. Don't we have the runfiles (symlink) path of the entrypoint in process.argv[1]? In the patches, can't we check realpath(process.argv[1]) === thisPath and use process.argv[1] instead, so that the basis for module resolutions outwards from the entry point use the symlink rather than the real path?

I don't know why rules_nodejs didn't suffer from this, but maybe that is also a path to solution.

matthewjh avatar Oct 04 '22 11:10 matthewjh

Thanks for writing up the issue. Do you have repro for this issue? It would help us figure out how to address it.

cgrindel avatar Oct 13 '22 17:10 cgrindel

In rules_js/e2e/rules_foo/foo, note the log from console.log(console.log(require.resolve('@aspect-test/a'))) in main.js:

Good case (resolve path is within runfiles):

$ bazel run //foo:main
// console.log(console.log(require.resolve('@aspect-test/a')))
<bazel base>/execroot/rules_foo/bazel-out/darwin_arm64-fastbuild/bin/foo/main.sh.runfiles/rules_foo/foo/node_modules/.aspect_rules_js/@[email protected]/node_modules/@aspect-test/a/index.js

Bad case (resolve path is in not in runfiles):

$ bazel run //foo:main --node_options=--inspect-brk
<bazel base>/execroot/rules_foo/bazel-out/darwin_arm64-fastbuild/bin/foo/node_modules/.aspect_rules_js/@[email protected]/node_modules/@aspect-test/a/index.js

matthewjh avatar Oct 15 '22 14:10 matthewjh