Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access control to proto properties #1638

Open
nknapp opened this issue Jan 11, 2020 · 3 comments
Open

Access control to proto properties #1638

nknapp opened this issue Jan 11, 2020 · 3 comments
Labels
feature
Milestone
Backlog

Comments

@nknapp
Copy link
Collaborator

nknapp commented Jan 11, 2020
edited

After the comments from #1633 and #1634 and the referenced issues, I think it would be a good idea to create a runtime option that allows to whitelist the prototype of a given class.

Calling the template wit

template ({some: "input object"}, { allowedPrototypes: [
  Test
] })

would allow a property to be resolved if the following is true.

parent[propertyName] === Test.prototype[propertyName] && Test.prototype.hasOwnProperty(propertyName)

I think it would be helpful when using custom classes in web-servers, because it is certainly not save to turn off prototype checks in such an environment.

I would like to have opinions about that.
@Gerrit0
Copy link

Gerrit0 commented Jan 11, 2020

One potential problem is that users will expect that adding B to the allowed prototypes would work in this case:

class A { get a() { return 'a' } }
class B extends A {}

const parent = new B();
parent['a'] === B.prototype['a'] && B.prototype.hasOwnProperty('a') // => false

This isn't too bad, it just needs to be documented, but it would likely surprise quite a few people.

@nknapp
Copy link
Collaborator Author

nknapp commented Jan 12, 2020
edited

We could also check if superclasses are whitelisted, so you only need to whitelist "A" in order to get properties from "A" and "B" accepted.

The other way around is more difficult, because it required blacklisting all native classes, which may change over time.

@roydukkey
Copy link
Contributor

roydukkey commented Jan 13, 2020
edited

@nknapp Would it be possible to use getPrototypeOf and getOwnPropertyDescriptor to see if the getter was defined. I'm not sure if this regresses to the issues that were already fixed or not.

class Example {
  get hello() {
    return 'world';
  }
}

const obj = new Example();
console.log(obj.hello);
// "world"
console.log(Object.getOwnPropertyDescriptor(obj, 'hello'));
// undefined
console.log(Object.getOwnPropertyDescriptor(Object.getPrototypeOf(obj), 'hello'));
// { configurable: true, enumerable: false, get: function get hello() { return 'world'; }, set: undefined }

source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get#get_Vs._defineProperty

@nknapp nknapp added the feature label Apr 5, 2020
@nknapp nknapp added this to the Backlog milestone Apr 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@nknapp @roydukkey @Gerrit0