Forging TSAs is a security bug #2646

rictic · 2022-03-17T20:42:39Z

Expands on the error message for a missing 'raw' property on a TemplateResult's strings to call out that this is part of Lit's security system.

changeset-bot · 2022-03-17T20:42:41Z

🦋 Changeset detected

Latest commit: 17abd9d

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

github-actions · 2022-03-17T20:43:03Z

📊 Tachometer Benchmark Results

Summary

nop-update

lit-html-kitchen-sink: unsure 🔍 -3% - +2% (-0.93ms - +0.52ms)
^{this-change vs tip-of-tree}

render

lit-element-list: unsure 🔍 -1% - +1% (-0.68ms - +0.69ms)
^{this-change vs tip-of-tree}
lit-html-kitchen-sink: unsure 🔍 -1% - +0% (-0.34ms - +0.12ms)
^{this-change vs tip-of-tree}
lit-html-repeat: unsure 🔍 -3% - +2% (-0.37ms - +0.25ms)
^{this-change vs tip-of-tree}
lit-html-template-heavy: unsure 🔍 -0% - +2% (-0.21ms - +1.32ms)
^{this-change vs tip-of-tree}
reactive-element-list: unsure 🔍 -0% - +3% (-0.26ms - +1.48ms)
^{this-change vs tip-of-tree}

update

lit-element-list: unsure 🔍 -1% - +1% (-8.65ms - +4.25ms)
^{this-change vs tip-of-tree}
lit-html-kitchen-sink: unsure 🔍 -3% - +3% (-2.32ms - +2.90ms)
^{this-change vs tip-of-tree}
lit-html-repeat: unsure 🔍 -6% - +7% (-18.68ms - +23.36ms)
^{this-change vs tip-of-tree}
lit-html-template-heavy: unsure 🔍 -1% - +1% (-0.82ms - +1.68ms)
^{this-change vs tip-of-tree}
reactive-element-list: unsure 🔍 -1% - +1% (-11.42ms - +5.26ms)
^{this-change vs tip-of-tree}

update-reflect

lit-element-list: unsure 🔍 -1% - +1% (-5.67ms - +7.53ms)
^{this-change vs tip-of-tree}
reactive-element-list: unsure 🔍 -1% - +1% (-11.50ms - +6.43ms)
^{this-change vs tip-of-tree}

Results

lit-element-list

Browser: chrome-headless 98.0.4758.102
Sample size: 50
Built by: Benchmarks #2530
Commit: 4fd5aee

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	75.23ms - 76.10ms	-	unsure 🔍 -1% - +1% -0.68ms - +0.69ms	faster ✔ 19% - 20% 17.58ms - 19.00ms
tip-of-tree tip-of-tree	75.13ms - 76.19ms	unsure 🔍 -1% - +1% -0.69ms - +0.68ms	-	faster ✔ 19% - 20% 17.52ms - 19.06ms
previous-release previous-release	93.39ms - 94.51ms	slower ❌ 23% - 25% 17.58ms - 19.00ms	slower ❌ 23% - 25% 17.52ms - 19.06ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	762.46ms - 772.26ms	-	unsure 🔍 -1% - +1% -8.65ms - +4.25ms	faster ✔ 7% - 8% 55.82ms - 68.99ms
tip-of-tree tip-of-tree	765.36ms - 773.76ms	unsure 🔍 -1% - +1% -4.25ms - +8.65ms	-	faster ✔ 7% - 8% 54.12ms - 66.28ms
previous-release previous-release	825.36ms - 834.16ms	slower ❌ 7% - 9% 55.82ms - 68.99ms	slower ❌ 7% - 9% 54.12ms - 66.28ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	846.00ms - 854.83ms	-	unsure 🔍 -1% - +1% -5.67ms - +7.53ms	faster ✔ 4% - 5% 35.01ms - 49.01ms
tip-of-tree tip-of-tree	844.58ms - 854.39ms	unsure 🔍 -1% - +1% -7.53ms - +5.67ms	-	faster ✔ 4% - 6% 35.62ms - 50.26ms
previous-release previous-release	887.00ms - 897.85ms	slower ❌ 4% - 6% 35.01ms - 49.01ms	slower ❌ 4% - 6% 35.62ms - 50.26ms	-

lit-html-kitchen-sink

Browser: chrome-headless 98.0.4758.102
Sample size: 30
Built by: Benchmarks #2530
Commit: 4fd5aee

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	30.03ms - 30.29ms	-	unsure 🔍 -1% - +0% -0.34ms - +0.12ms	faster ✔ 15% - 18% 5.40ms - 6.76ms
tip-of-tree tip-of-tree	30.09ms - 30.46ms	unsure 🔍 -0% - +1% -0.12ms - +0.34ms	-	faster ✔ 15% - 18% 5.27ms - 6.66ms
previous-release previous-release	35.57ms - 36.90ms	slower ❌ 18% - 22% 5.40ms - 6.76ms	slower ❌ 17% - 22% 5.27ms - 6.66ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	83.36ms - 87.36ms	-	unsure 🔍 -3% - +3% -2.32ms - +2.90ms	unsure 🔍 -5% - +2% -4.66ms - +1.80ms
tip-of-tree tip-of-tree	83.38ms - 86.74ms	unsure 🔍 -3% - +3% -2.90ms - +2.32ms	-	unsure 🔍 -5% - +1% -4.77ms - +1.32ms
previous-release previous-release	84.25ms - 89.33ms	unsure 🔍 -2% - +5% -1.80ms - +4.66ms	unsure 🔍 -2% - +6% -1.32ms - +4.77ms	-

nop-update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	26.45ms - 27.11ms	-	unsure 🔍 -3% - +2% -0.93ms - +0.52ms	faster ✔ 11% - 14% 3.42ms - 4.33ms
tip-of-tree tip-of-tree	26.34ms - 27.63ms	unsure 🔍 -2% - +3% -0.52ms - +0.93ms	-	faster ✔ 10% - 14% 2.95ms - 4.39ms
previous-release previous-release	30.35ms - 30.97ms	slower ❌ 13% - 16% 3.42ms - 4.33ms	slower ❌ 11% - 17% 2.95ms - 4.39ms	-

lit-html-repeat

Browser: chrome-headless 98.0.4758.102
Sample size: 30
Built by: Benchmarks #2530
Commit: 4fd5aee

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	10.75ms - 11.18ms	-	unsure 🔍 -3% - +2% -0.37ms - +0.25ms	faster ✔ 11% - 15% 1.44ms - 1.88ms
tip-of-tree tip-of-tree	10.80ms - 11.24ms	unsure 🔍 -2% - +3% -0.25ms - +0.37ms	-	faster ✔ 11% - 14% 1.37ms - 1.83ms
previous-release previous-release	12.55ms - 12.69ms	slower ❌ 13% - 17% 1.44ms - 1.88ms	slower ❌ 12% - 17% 1.37ms - 1.83ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	306.63ms - 338.14ms	-	unsure 🔍 -6% - +7% -18.68ms - +23.36ms	faster ✔ 25% - 34% 112.25ms - 160.62ms
tip-of-tree tip-of-tree	306.14ms - 333.96ms	unsure 🔍 -7% - +6% -23.36ms - +18.68ms	-	faster ✔ 26% - 34% 115.75ms - 161.80ms
previous-release previous-release	440.47ms - 477.17ms	slower ❌ 33% - 51% 112.25ms - 160.62ms	slower ❌ 35% - 52% 115.75ms - 161.80ms	-

lit-html-template-heavy

Browser: chrome-headless 98.0.4758.102
Sample size: 50
Built by: Benchmarks #2530
Commit: 4fd5aee

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	55.02ms - 56.10ms	-	unsure 🔍 -0% - +2% -0.21ms - +1.32ms	faster ✔ 14% - 17% 9.44ms - 11.69ms
tip-of-tree tip-of-tree	54.46ms - 55.55ms	unsure 🔍 -2% - +0% -1.32ms - +0.21ms	-	faster ✔ 15% - 18% 9.99ms - 12.24ms
previous-release previous-release	65.13ms - 67.11ms	slower ❌ 17% - 21% 9.44ms - 11.69ms	slower ❌ 18% - 22% 9.99ms - 12.24ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	125.01ms - 126.75ms	-	unsure 🔍 -1% - +1% -0.82ms - +1.68ms	faster ✔ 12% - 15% 17.87ms - 21.33ms
tip-of-tree tip-of-tree	124.54ms - 126.35ms	unsure 🔍 -1% - +1% -1.68ms - +0.82ms	-	faster ✔ 13% - 15% 18.29ms - 21.78ms
previous-release previous-release	143.99ms - 146.98ms	slower ❌ 14% - 17% 17.87ms - 21.33ms	slower ❌ 15% - 17% 18.29ms - 21.78ms	-

reactive-element-list

Browser: chrome-headless 98.0.4758.102
Sample size: 50
Built by: Benchmarks #2530
Commit: 4fd5aee

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	55.38ms - 56.49ms	-	unsure 🔍 -0% - +3% -0.26ms - +1.48ms	unsure 🔍 -1% - +2% -0.36ms - +1.19ms
tip-of-tree tip-of-tree	54.65ms - 56.00ms	unsure 🔍 -3% - +0% -1.48ms - +0.26ms	-	unsure 🔍 -2% - +1% -1.06ms - +0.67ms
previous-release previous-release	54.98ms - 56.06ms	unsure 🔍 -2% - +1% -1.19ms - +0.36ms	unsure 🔍 -1% - +2% -0.67ms - +1.06ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	792.44ms - 804.08ms	-	unsure 🔍 -1% - +1% -11.42ms - +5.26ms	unsure 🔍 -1% - +1% -9.84ms - +6.10ms
tip-of-tree tip-of-tree	795.37ms - 807.31ms	unsure 🔍 -1% - +1% -5.26ms - +11.42ms	-	unsure 🔍 -1% - +1% -6.87ms - +9.30ms
previous-release previous-release	794.68ms - 805.58ms	unsure 🔍 -1% - +1% -6.10ms - +9.84ms	unsure 🔍 -1% - +1% -9.30ms - +6.87ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	896.70ms - 908.94ms	-	unsure 🔍 -1% - +1% -11.50ms - +6.43ms	unsure 🔍 -1% - +0% -13.22ms - +3.10ms
tip-of-tree tip-of-tree	898.80ms - 911.90ms	unsure 🔍 -1% - +1% -6.43ms - +11.50ms	-	unsure 🔍 -1% - +1% -11.01ms - +5.96ms
previous-release previous-release	902.49ms - 913.27ms	unsure 🔍 -0% - +1% -3.10ms - +13.22ms	unsure 🔍 -1% - +1% -5.96ms - +11.01ms	-

_{tachometer-reporter-action v2 for Benchmarks}

Forging TSAs is a security bug

17abd9d

Expands on the error message for a missing 'raw' property on a TemplateResult's strings to call out that this is part of Lit's security system.

rictic requested a review from justinfagnani as a code owner March 17, 2022 20:42

justinfagnani approved these changes Mar 17, 2022

View reviewed changes

rictic merged commit 365cd09 into main Mar 18, 2022

rictic deleted the clearer-error branch March 18, 2022 00:21

This was referenced Mar 31, 2022

Version Packages #2687

Closed

Version Packages #2700

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Forging TSAs is a security bug #2646

Forging TSAs is a security bug #2646

rictic commented Mar 17, 2022

changeset-bot bot commented Mar 17, 2022

github-actions bot commented Mar 17, 2022 •

edited

📊 Tachometer Benchmark Results

Summary

nop-update

render

update

update-reflect

Results

render

update

update-reflect

render

update

nop-update

render

update

render

update

render

update

update-reflect

Forging TSAs is a security bug #2646

Forging TSAs is a security bug #2646

Conversation

rictic commented Mar 17, 2022

changeset-bot bot commented Mar 17, 2022

🦋 Changeset detected

github-actions bot commented Mar 17, 2022 • edited

📊 Tachometer Benchmark Results

Summary

nop-update

render

update

update-reflect

Results

render

update

update-reflect

render

update

nop-update

render

update

render

update

render

update

update-reflect

github-actions bot commented Mar 17, 2022 •

edited