refactor: allow resolution of variables in the proto chain #578
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
caridy
commented
Nov 7, 2021
| @@ -156,14 +156,14 @@ function resolveVariableReference( | |||
| let arg: FluentVariable; | |||
| if (scope.params) { | |||
| // We're inside a TermReference. It's OK to reference undefined parameters. | |||
| if (Object.prototype.hasOwnProperty.call(scope.params, name)) { | |||
| if (Reflect.has(scope.params, name)) { | |||
There was a problem hiding this comment.
Reflect.has is not available in IE11. This project doesn't provide details about the level of support that it is offering for legacy browsers, judging by the code, I don't see any usage of Reflect. We can replace this with name in scope.params which is equivalent and does work in legacy systems as well.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolveVariableReferenceenforces variables names to be own properties. This seems to be very restrictive, and instead, Reflect.has() orinoperator is probably better. In our case, the args structure provided to messages might be optimized in various ways (very likely be immutable structures) that does not necessary have a flatten structure, and instead it might rely on the__proto__chain.Perf Considerations
I believe this change will not necessary introduce a significant chante in terms of performance. Yes, missing variable names lookups will take one more step (most likely a look up on
Object.prototypewhich is probably optimized by engines already), but that should not move the needle IMO.Security Implications
The interpolation is already very secure (by doing the escaping), with this change, poisoning of the Object.prototype is possible, but again, you can only attack message if the consumer is not providing the variable name, in which case Object.prototype lookup will occur. There are other different ways to do a similar attack, including patching
Object.prototype.hasOwnPropertyon itself :), so I will consider this to not be an issue.TODO