Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

repl: no RegExp side effects for static properties #20549

Closed
wants to merge 1 commit into from
Closed

repl: no RegExp side effects for static properties #20549

wants to merge 1 commit into from

Conversation

princejwesley
Copy link
Contributor

Disallow global RegExp object usage inside repl.js,
readline.js and tty.js. Use RegExp from internal context
to prevent updating global.RegExp static properties

tools/eslint-rules/no-regex-literal-for-repl.js linter is added
to prevent regex literal usage in repl code path

Fixes: #18931

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included (TODO)
  • documentation is changed or added
  • commit message follows commit guidelines

@princejwesley
repl: no RegExp side effects for static properties
ea9878e 
Disallow global RegExp object usage inside repl.js,
readline.js and tty.js. Use RegExp from internal context
to prevent updating global.RegExp static properties

tools/eslint-rules/no-regex-literal-for-repl.js linter is added
to prevent regex literal usage in repl code path

Fixes: nodejs#18931
@nodejs-github-bot nodejs-github-bot added the lib / src Issues and PRs related to general changes in the lib or src directory. label May 5, 2018
@princejwesley princejwesley mentioned this pull request May 5, 2018
Closed
4 tasks
@addaleax
Copy link
Member

addaleax commented May 5, 2018

I think this is basically what lib/internal/safe_globals.js is there for, right? Can we do it that way?

@addaleax addaleax added the repl Issues and PRs related to the REPL subsystem. label May 5, 2018
@princejwesley
Copy link
Contributor Author

@addaleax Adding SafeRegExp or move 'internal/util'.getInternalGlobal to internal/safe_globals.js ? SafeRegExp would have the same side effect if its implemented by makeSafe.

apapirovski
apapirovski reviewed May 17, 2018
View reviewed changes
Copy link
Member

@apapirovski apapirovski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@princejwesley The PR looks mostly good to me but a) could you elaborate why makeSafe wouldn't work here? I've only briefly skimmed the related issue.

Also, is there any way to add a test for 1) the eslint rule, and 2) the behaviour of the new code not adding any globals?

@BridgeAR
Copy link
Member

I am not a fan of this since AFAIK it takes longer to generate the RegExp like this and it becomes more difficult to read the RegExp. I think we should use a different approach.

@BridgeAR
Copy link
Member

I am not sure how we should progress here. I personally do not think this is the solution to our issue. Is this still WIP?

@BridgeAR BridgeAR added the wip Issues and PRs that are still a work in progress. label May 29, 2018
@lundibundi
Copy link
Member

ping @princejwesley, will you be working on this or can we close it?

@princejwesley
Copy link
Contributor Author

we can close it

@lundibundi lundibundi closed this Sep 3, 2018
@BridgeAR
Copy link
Member

BridgeAR commented Apr 4, 2019

I looked into this issue and it seems like this is the only halfway reliable way to really solve this. Sorry for originally being sceptical.

@BridgeAR BridgeAR mentioned this pull request Apr 4, 2019
Open
@bnoordhuis
Copy link
Member

This PR looks mostly fine to me, the only worry I have is that it might introduce performance regressions. Specifically, people sometimes use readline to parse large inputs.

@BridgeAR
Copy link
Member

BridgeAR commented Apr 5, 2019

One way to reduce the performance overhead is to create the RegExp once up front and safe it as top level variable. That should be always possible besides for the cases where we have to create the regular expression based upon input and those will also need the constructor right now.

I wonder if it's possible to use the primordials RegExp constructor.

@bnoordhuis bnoordhuis mentioned this pull request Apr 25, 2019
Closed
4 tasks
@snyk-bot snyk-bot mentioned this pull request Mar 18, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Apr 1, 2020
Open
@hemanth hemanth mentioned this pull request Jul 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apapirovski apapirovski apapirovski left review comments

Assignees
No one assigned
Labels
lib / src Issues and PRs related to general changes in the lib or src directory. repl Issues and PRs related to the REPL subsystem. wip Issues and PRs that are still a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

repl: no RegExp side effects
7 participants
@princejwesley @addaleax @BridgeAR @lundibundi @bnoordhuis @apapirovski @nodejs-github-bot