Skip to content

Use brackets instead of parenthesis in empty name eval #30449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 24, 2024
Merged

Use brackets instead of parenthesis in empty name eval #30449

merged 1 commit into from
Jul 24, 2024
+3 −3

Conversation

sebmarkbage
Copy link
Collaborator

@sebmarkbage sebmarkbage commented Jul 24, 2024
edited
Loading

Otherwise V8 will parse it as a URL and mess it up. The bracket is a magic string meaning empty.

@sebmarkbage sebmarkbage requested a review from eps1lon July 24, 2024 20:45
@vercel Vercel
Copy link

vercel bot commented Jul 24, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
react-compiler-playground ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jul 24, 2024 9:19pm

@facebook-github-bot facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Jul 24, 2024
@react-sizebot
Copy link

react-sizebot commented Jul 24, 2024
edited
Loading

Comparing: a6b7e43...0e710d8

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name +/- Base Current +/- gzip Base gzip Current gzip
oss-stable/react-dom/cjs/react-dom.production.js = 6.68 kB 6.68 kB = 1.83 kB 1.82 kB
oss-stable/react-dom/cjs/react-dom-client.production.js = 501.44 kB 501.44 kB = 89.98 kB 89.98 kB
oss-experimental/react-dom/cjs/react-dom.production.js = 6.69 kB 6.69 kB = 1.83 kB 1.83 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js = 506.26 kB 506.26 kB = 90.68 kB 90.68 kB
facebook-www/ReactDOM-prod.classic.js = 599.78 kB 599.78 kB = 105.88 kB 105.88 kB
facebook-www/ReactDOM-prod.modern.js = 575.83 kB 575.83 kB = 102.15 kB 102.15 kB

Significant size changes

Includes any change greater than 0.2%:

(No significant changes)

Generated by 🚫 dangerJS against 4fee048

@sebmarkbage sebmarkbage merged commit 933b737 into facebook:main Jul 24, 2024
This was referenced Jul 25, 2024
Merged
Merged
@okaneconnor
Copy link

🤖 PR Review Buddy - AI Analysis

Model: gemini-1.5-flash | Analysis Time: 6.1s

📊 Quality Metrics

Metric Score Grade
🛡️ Security 90/100 A
⚡ Performance 100/100 A
🧪 Testing 70/100 C
🏗️ Maintainability 85/100 B
📈 Overall 85/100 B

📝 Summary

The PR addresses a specific V8 parsing issue effectively. However, there are opportunities to improve the solution's robustness, consistency, and security by exploring alternative naming conventions, expanding test coverage, and addressing potential, though unlikely, injection vulnerabilities.

🔍 Issues Found (3)

🟡 Medium (1)

1. Inconsistent Naming Convention

  • 📁 packages/react-client/src/ReactFlightClient.js (line 1955)
  • 📝 The change replaces (anonymous) with <anonymous>. While this addresses the V8 parsing issue, it introduces a slight inconsistency. The use of angle brackets is not a standard convention for anonymous function names. Consider a more consistent approach, perhaps using a unique identifier or a more descriptive name based on context. The current solution is a workaround, not a robust solution to the underlying issue.
  • 💡 Explore alternative solutions. If possible, avoid the need for creating anonymous functions dynamically. If this is unavoidable, use a consistent naming scheme, possibly incorporating a counter or timestamp for uniqueness.
🟢 Low (2)

1. Test Coverage Improvement Needed

  • 📁 packages/react-client/src/__tests__/ReactFlight-test.js (line 1285)
  • 📝 The test changes reflect the change to <anonymous>, but more comprehensive tests should be added to ensure that the change doesn't introduce regressions or unexpected behavior in other scenarios. The current test only demonstrates the change in the error message; it does not cover all possible use cases.
  • 💡 Expand the test suite to include cases with various function names, error types, and input data. Consider adding edge case scenarios and negative tests.

2. Potential for Injection (Indirect)

  • 📁 packages/react-client/src/ReactFlightClient.js (line 1957)
  • 📝 While the change mitigates a specific V8 parsing issue, the use of JSON.stringify(name) later in the code introduces a small, indirect security risk if name is ever sourced from untrusted input. Although highly unlikely in this context, an attacker injecting malicious code into name could potentially lead to issues with the JSON stringification.
  • 💡 Sanitize or validate the name variable before using it. Ensure that name can only contain allowed characters. A whitelist approach is preferable.

✅ What's Good

  • Addresses a reported V8 issue.
  • Change is relatively straightforward and easy to understand.

💡 Suggestions for Improvement

  • Consider using a more robust approach to handle anonymous function naming.
  • Improve the test suite to enhance code reliability.

Analyzed 2 files (3 additions, 3 deletions)

💬 Commands: Comment /review to re-run analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eps1lon eps1lon eps1lon approved these changes

Assignees

No one assigned

Labels

CLA Signed React Core Team Opened by a member of the React Core Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sebmarkbage @react-sizebot @okaneconnor @eps1lon @facebook-github-bot