ESM imports escape the sandbox & runfiles

[gregmagolan]

The relevent code in node is in resolve.js where there is a realPathSync call

https://github.com/nodejs/node/blob/4c5b96b376aa778cbe651362c29a26e0d4c32ccd/lib/internal/modules/esm/resolve.js#L310

This realPathSycn call does not get the fs monkey paches while the cjs require loader's realPathSync call does. It is unclear why.

This is the underlying reason why we current need --preserve-symlinks-main on by default in js_library so the .mjs entry points don't escape their runfiles.

It is also the reason mocha was observed to escape the sandbox in the repro #353 (comment) and likely related to #347.

This affects .mjs entry points and programs that use esm imports. For example, mocha uses the import() built-in that is affected.

[gregmagolan]

We suspect the underlying reason why the fs patches apply to the commonjs path and not the esm path in node is the fs import style in https://github.com/nodejs/node/blob/4c5b96b376aa778cbe651362c29a26e0d4c32ccd/lib/internal/modules/esm/resolve.js

const {
  realpathSync,
  statSync,
  Stats,
} = require('fs');

while the commonjs import is

const fs = require('fs');

Presumably both modules are evaluated before our fs patches, which are done in a --require from the command line. Our patches would apply only to the commonjs path since it has a reference to the fs module which we monkey patch while the esm path has references to the fs functions it needs directly which are not monkey patched.

[gregmagolan]

I tested the changed needed in Node.js to resolve this and it works as expected. The change is just aspect-forks/node@6616ddd.

[gregmagolan]

"Minimal" repro: https://github.com/gregmagolan/repro_rules_js_362