Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make harden-exports aware that Pattern makers are already hardened #2632

Open
turadg opened this issue Nov 14, 2024 · 1 comment
Open

make harden-exports aware that Pattern makers are already hardened #2632

turadg opened this issue Nov 14, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@turadg
Copy link
Member

turadg commented Nov 14, 2024

What is the Problem Being Solved?

For all M.something(...), we should assume that it produces a properly hardened value and omit the noise. (context)

Description of the Design

Update the lint rule to detect if the exported value is the result of an M.something call, and if so consider that already hardened.

Security Considerations

Scaling Considerations

Test Plan

Compatibility Considerations

Upgrade Considerations

@erights
Copy link
Contributor

erights commented Nov 14, 2024

For a lint rule, I suggest something even weaker. Rather than noticing M.something(...) expressions specifically, notice (at least top level) declarations initialized to literal expressions, such as function literals, object literals, array literals, etc. For these, ensure that the initialized variable is hardened before any code could observe the resulting value in a non-hardened state.

For everything other than literal expressions, the lint rule should pass on them, and we should take care elsewhere to ensure that these non-literal expressions produce values that are already hardened.

@erights erights changed the title make harden-exports aware that Patter makers are already hardened make harden-exports aware that Pattern makers are already hardened Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants