-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
class member method named "import" will be misrecognized as import statement. #773
Comments
See https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_IMPORT_REJECTED.md If this is code you have control over, for the code above, quoting |
The endojs is for secure platforms (as far as i understand), which it's design should not affect anonymous package's specific syntax.
|
@softmarshmallow For performance and security reasons, SES cannot include and rely upon a full JavaScript parser to distinguish all of the valid ways For example We cannot address this problem with SES, because of that limitation on parser-based censorship, but we could write a “parser-based censorship evasion transform” over in the bundler. To benefit from this, your code would have to pass through the bundler transforms. I’ve filed this issue on your behalf: |
IMHO, But still, I can't get that the parser scans the "import" keyword in the comment string. this is simply wrong. Same question, same statement. I can't understand 2 and 3 behavior.
|
Regular expressions cannot match on context. Parsing JavaScript is
particularly difficult to lex and parse.
https://en.m.wikipedia.org/wiki/Chomsky_hierarchy
The alternative to using a regex (which can only scan regular languages
reliably) would be to use a fast and 100% accurate JavaScript lexer and
parser. Babel is slow, 3MB, and would require a rather expensive audit (and
ongoing differential audits) for accuracy to be sure it can reliably forbid
direct eval and dynamic import. We would probably need something smaller.
The alternatives are generally less carefully reviewed.
…On Tue, Jun 15, 2021 at 3:27 AM UZU, J ***@***.***> wrote:
IMHO, But still, I can't get that the parser scans the "import" keyword in
the comment string. this is simply wrong.
Why would the regex target the safe, commented, code?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#773 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAOXBUT2XN56LACRRVQ5BLTS4THTANCNFSM46QDUELQ>
.
|
figma/plugin-typings#36
case 1.
case 2.
Improvement on regex and other logic barrier required.
The text was updated successfully, but these errors were encountered: