Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates astro-island for safer props deserialization #3268

Closed
wants to merge 7 commits into from

Conversation

tony-sull
Copy link
Contributor

@tony-sull tony-sull commented May 3, 2022

Closes #3266

Changes

Props passed to components via astro-island are serialized with the serialize-javascript. It isn't 100% compatible with JSON.parse(), for example it will keep undefined variables which breaks in JSON.parse()

This updates astro-island to use the eval() deserialization method recommended by serialize-javascript

Testing

Not sure of the right way to add a test for this, suggestions welcome!

Docs

N/A bug fix only

@changeset-bot
Copy link

changeset-bot bot commented May 3, 2022

🦋 Changeset detected

Latest commit: fa51fe6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
astro Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label May 3, 2022
@tony-sull tony-sull linked an issue May 3, 2022 that may be closed by this pull request
1 task
@matthewp
Copy link
Contributor

matthewp commented May 3, 2022

:( This is unfortunate. I'm conflicted here, obviously we want to fix this bug but we also don't want to force 'unsafe-eval' if using CSP. Maybe we should revert that PR until we get this figured out in a better way.

export function serializeProps(value: any) {
return serializeJavaScript(value);
return JSON.stringify(value);
Copy link
Contributor

@JuanM04 JuanM04 May 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use SuperJSON.
Also, this is the only place where serialize-javascript is being used. Maybe it should be completely removed

Copy link
Contributor

@matthewp matthewp May 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Way too big for this use case IMO. We have to deserialize in the browser.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm torn on this one since it removes functionality, but maybe it is the right move to go with JSON.stringify() here

functions, regexps, dates, sets or maps

This is the list of datatypes that serialize-javascript helps with. Functions are the only ones I could see being used in a component, but then maybe that really isn't an ideal use case anyway? 🤔

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the dep, thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Way too big for this use case IMO

Well point. And what about devalue? Sorry for insisting, but not having undefined, Date and may break existing code

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries! that's definitely a better option. I still don't feel super great about putting it into a script tag but it's better than having many script tags. Let me try that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I have Tried this out. It turns the inline script from 254 bytes to 2.08kB :(

Copy link
Contributor

@JuanM04 JuanM04 May 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It turns the inline script from 254 bytes to 2.08kB :(

How weird. devalue itself shouldn't be included in the output. See XSS Mitigation

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just mean that devalue adds that many bytes. I don't feel comfortable adding that in a PR to fix a regression. Maybe it's a good tradeoff and maybe not, but I think we should weight the pros and cons in a separate issue. So I'm going to revert the astro-island change and go back to script tags until we have time to figure out what to do here.

@matthewp
Copy link
Contributor

matthewp commented May 3, 2022

Closing in favor of #3275

@matthewp matthewp closed this May 3, 2022
@bluwy bluwy deleted the fix/astro-island-deserialize branch October 8, 2024 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pkg: astro Related to the core `astro` package (scope)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

🐛 BUG: Astro Island's data is not correctly serialized
3 participants