[BUG] allow-local-file-access not respected in JavaScript require() function

[coderabbitai]

Bug Report

Description

The require() function (powered by goja) used the default host filesystem loader, which allowed JavaScript templates to import arbitrary local files even when the allow-local-file-access configuration option was explicitly disabled.

Additionally, pooled runtimes retained require() state across executions. This meant a module loaded during a privileged execution could remain cached and be accessible during a later restricted execution, effectively bypassing the sandbox.

Steps to Reproduce

1. Disable allow-local-file-access in nuclei configuration.
2. Create a JavaScript template that uses require() to load a local file.
3. Run nuclei with the template.

Expected behavior: The require() call should be blocked/sandboxed when allow-local-file-access is disabled.

Actual behavior: The require() call succeeds and loads the local file, bypassing the allow-local-file-access restriction.

Root Cause

• The goja require registry was globally shared and not rebuilt per-execution, so execution-specific context (including sandbox rules) was not applied to module loading.
• The cached module state from privileged executions leaked into subsequent restricted executions via the pooled runtime's require cache.

Related PR

Fixed in: #7332

Reported by

@dwisiswant0