Disable legacy API in pm.require-d packages

lib/sandbox/pm-require.js

@@ -1,4 +1,6 @@
-const MODULE_KEY = '__module_obj', // why not use `module`?
+const { LEGACY_GLOBS } = require('./postman-legacy-interface'),
+
+    MODULE_KEY = '__module_obj', // why not use `module`?
     MODULE_WRAPPER = [
         '(function (exports, module) {\n',
         `\n})(${MODULE_KEY}.exports, ${MODULE_KEY});`
@@ -158,7 +160,7 @@ function createPostmanRequire (fileCache, scope) {
         //
         // Why `async` = true?
         //   - We want to allow execution of async code like setTimeout etc.
-        scope.exec(wrappedModule, true, (err) => {
+        scope.exec(wrappedModule, { async: true, blocked: LEGACY_GLOBS }, (err) => {
             // Bubble up the error to be caught as execution error
             if (err) {
                 throw err;

lib/sandbox/postman-legacy-interface.js

@@ -416,5 +416,7 @@ module.exports = {
         }
 
         raiseAssertionEvent(scope, pmapi, onAssertion);
-    }
+    },
+
+    LEGACY_GLOBS
 };

test/unit/sandbox-libraries/pm-require.test.js

@@ -505,4 +505,77 @@ describe('sandbox library - pm.require api', function () {
             }
         }, done);
     });
+
+    it('should not have access to legacy postman global', function (done) {
+        const errorSpy = sinon.stub();
+
+        context.on('execution.error', errorSpy);
+        context.execute(`
+            pm.require('sync_usage');
+            pm.require('func_usage');
+            pm.require('async_usage');
+            setTimeout(() => {}, 20); // wait for async code to finish
+        `, {
+            context: sampleContextData,
+            resolvedPackages: {
+                sync_usage: {
+                    data: ['var assert = require(\'assert\');'].concat(
+                        [
+                            'tests',
+                            'globals',
+                            'environment',
+                            'data',
+                            'request',
+                            'responseCookies',
+                            'responseHeaders',
+                            'responseTime',
+                            'responseCode',
+                            'responseBody',
+                            'iteration',
+                            'postman',
+
+                            // scope libraries
+                            'JSON',
+                            '_',
+                            'CryptoJS',
+                            'atob',
+                            'btoa',
+                            'tv4',
+                            'xml2Json',
+                            'Backbone',
+                            'cheerio'
+                        ].map(function (key) {
+                            return `assert.strictEqual(${key}, undefined);`;
+                        })
+                    ).join('\n')
+                },
+                func_usage: {
+                    data: `
+                        var assert = require('assert');
+                        try {
+                            Function('return postman')();
+                            throw new Error('should not reach here');
+                        } catch (e) {
+                            assert.strictEqual(e.message, 'postman is not defined');
+                        }
+                    `
+                },
+                async_usage: {
+                    data: `
+                        var assert = require('assert');
+                        setTimeout(function () {
+                            assert.strictEqual(postman, undefined);
+                        }, 10);
+                    `
+                }
+            }
+        }, function (err) {
+            if (err) {
+                return done(err);
+            }
+
+            expect(errorSpy).to.not.have.been.called;
+            done();
+        });
+    });
 });