class member method named "import" will be misrecognized as import statement.

[softmarshmallow]

figma/plugin-typings#36

1. Read the above thread.

case 1.

/// Throws
Class A{
   import(a: string){console.log(a)}
}

/// Works
Class A{
   imports(a: string){console.log(a)} // or any other method name rather than "import"
}

case 2.

// Throws
// import something blahblah

// Works
// _import something blahblah
// `import` something blahblah

Improvement on regex and other logic barrier required.

[erights]

See https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_IMPORT_REJECTED.md

If this is code you have control over, for the code above, quoting import is your best bet.

[softmarshmallow]

The endojs is for secure platforms (as far as i understand), which it's design should not affect anonymous package's specific syntax.

1. blocking dynamic import - agree - since dynamic import is mostly used on end user level (end developer)
2. blocking member function named import - disagree - since class member can be named anything as it can be and not allowing this violates the concept of class.
3. import keyword in comment - needs improvement

[kriskowal]

@softmarshmallow For performance and security reasons, SES cannot include and rely upon a full JavaScript parser to distinguish all of the valid ways import( can occur within client code. Instead, it uses a regular expression with false-positives. Some of the false positives you’ve found are ones we haven’t seen yet! But, the mitigation in all of these cases is to do some preprocessing on the code you’re presenting to SES so that it can distinguish valid use.

For example @agoric/bundle-source has a parser-based transform that replaces import() expressions in comments with importX(). We had a problem with object.import() method invocation that we solved by making the censor regular expression more clever, but previously had transformed all such cases to object['import']() to avoid censorship. The pre-processor ought to add a case for your import “concise method”, changing those to import: () => {} or ['import']() {} concise methods.

We cannot address this problem with SES, because of that limitation on parser-based censorship, but we could write a “parser-based censorship evasion transform” over in the bundler. To benefit from this, your code would have to pass through the bundler transforms. I’ve filed this issue on your behalf:

Agoric/agoric-sdk#3325

[softmarshmallow]

IMHO, But still, I can't get that the parser scans the "import" keyword in the comment string. this is simply wrong.
Why would the regex target the safe, commented, code?

Same question, same statement. I can't understand 2 and 3 behavior.

The endojs is for secure platforms (as far as i understand), which it's design should not affect anonymous package's specific syntax.

1. blocking dynamic import - agree - since dynamic import is mostly used on end user level (end developer)
2. blocking member function named import - disagree - since class member can be named anything as it can be and not allowing this violates the concept of class.
3. import keyword in comment - needs improvement

[kriskowal]

Regular expressions cannot match on context. Parsing JavaScript is particularly difficult to lex and parse. https://en.m.wikipedia.org/wiki/Chomsky_hierarchy The alternative to using a regex (which can only scan regular languages reliably) would be to use a fast and 100% accurate JavaScript lexer and parser. Babel is slow, 3MB, and would require a rather expensive audit (and ongoing differential audits) for accuracy to be sure it can reliably forbid direct eval and dynamic import. We would probably need something smaller. The alternatives are generally less carefully reviewed.

…

On Tue, Jun 15, 2021 at 3:27 AM UZU, J ***@***.***> wrote: IMHO, But still, I can't get that the parser scans the "import" keyword in the comment string. this is simply wrong. Why would the regex target the safe, commented, code? — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#773 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAOXBUT2XN56LACRRVQ5BLTS4THTANCNFSM46QDUELQ> .