Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ownership getting tricked by proxies #13377

Merged
merged 2 commits into from
Sep 26, 2024
Merged

fix: ownership getting tricked by proxies #13377

merged 2 commits into from
Sep 26, 2024

Conversation

paoloricciuti
Copy link
Member

Svelte 5 rewrite

Closes #13376

This fixes the problem but i fear we might have this problem elsewhere and this can still be somewhat tricked unless we specify a lot of constraint. The problem when someone returns some non null value from a proxy regardless of the key eg

<script>
    import { setContext, getContext } from "svelte";

    setContext("", new Proxy({}, {
        get(){
            return {};
        }
    }));

    getContext("");
</script>

inside the ownership validation function we assume that if it has metadata it's the svelte metadata object (honestly a reasonable assumption considering it's a Symbol). But in this case the object will always be this empty object. So when trying to access owners.add on it or [ADD_OWNER] we end up with a runtime error.

By adding owners in object check it's fixed but that will fail if the proxy looks like this

<script>
    import { setContext, getContext } from "svelte";

    setContext("", new Proxy({}, {
        get(){
            return {};
        },
        has(){
             return true;
        }
    }));

    getContext("");
</script>

So i'm not really sure if we should go mad with checks before invoking anything or find a better general solution.

Please note that the Svelte codebase is currently being rewritten for Svelte 5. Changes should target Svelte 5, which lives on the default branch (main).

If your PR concerns Svelte 4 (including updates to svelte.dev.docs), please ensure the base branch is svelte-4 and not main.

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests and linting

  • Run the tests with pnpm test and lint the project with pnpm lint

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 24, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 4617e9f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

dummdidumm
dummdidumm approved these changes Sep 26, 2024
View reviewed changes
.changeset/nice-brooms-battle.md Outdated Show resolved Hide resolved
@dummdidumm dummdidumm merged commit b73052f into main Sep 26, 2024
7 of 9 checks passed
@dummdidumm dummdidumm deleted the fix-ownership-with-proxies branch September 26, 2024 13:12
@github-actions github-actions bot mentioned this pull request Sep 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Returning a promise on get from a user-defined proxy that's put in context throws an error on getContext
2 participants
@paoloricciuti @dummdidumm