Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Any code with import expression inside string literal or comment throws error #39

Open
ilyalesik opened this issue Sep 1, 2019 · 3 comments
Open

Any code with import expression inside string literal or comment throws error #39

ilyalesik opened this issue Sep 1, 2019 · 3 comments

Comments

@ilyalesik
Copy link

Any code with import expression inside string literal or comment throws "Error: SyntaxError: possible import expression rejected around line 1".

As example:

const v = "const MyComponent = lazy(() => import('./MyComponent'))";
@erights
Copy link
Member

erights commented Sep 2, 2019

Hi @ilyalesik as you might infer from the error message, this is working as intended at this level. However, I am leaving your issue open because we're working towards addressing it at another level.

In order to review the realms-shim with confidence, it is important that we keep the security kernel of the realms-shim small, and containing only code whose meaning we can understand with high confidence. As a consequence, the security kernel cannot rely on any JavaScript parser being an accurate implementation of either the spec or what the target platform does. JavaScript is a notoriously hard language to parse accurately; and reviewing the accuracy of any one parser is at least as difficult as reviewing the entirety of the realm-shim security kernel.

Instead, the security kernel takes strings to be evaluated, and passes them onto the direct eval in the magic eight lines of code explained at https://www.youtube.com/watch?v=mSNxsn0pK74&list=PLKr-mvz8uvUg70w0yKGfytaDqxiIBNo_L and https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 . Unfortunately, these eight magic lines cannot secure the import expression, and so we must conservatively reject any string that might contain an import expression.

That direct eval also cannot eval module source text. We are working on a higher level translator, that does rely on accurate parsing and rewriting, to turn module text into evaluable source strings acceptable to the realms-shim security kernel. That same rewrite should eventually also translate import expressions, both in module sources and in script sources, into evaluable strings without import expressions that are acceptable to the realms-shim security kernel.

So I leave your issue open until we have such higher-level support for import expressions. Thanks.

@erights
Copy link
Member

erights commented Sep 5, 2019

I never came back and filled in the missing piece --- about the overly conservative rejection of apparent import statements (and html-like comments and direct-eval expressions) in comments and strings. For code that does go through a transformation step before it hits the kernel of the realms shim, such as module code, we could also transform these in literal strings into literal strings that evaluate to the same value, but in which the offending sequence does not exist in the sources. We could transform these in comments to something that indicates the original meaning, but does not have the offending sequence.

Whether we should or not is a separate question. It seems a high kludge price to pay to preserve our layering.

@ilyalesik
Copy link
Author

OK, thanks for the explanation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erights @ilyalesik