Results of TC39 presentation #37
Comments
|
I think most regexp escape methods are pretty simple. At least the ones in Closure Lib, Dojo, Lodash, Prototype, MooTools, Mout, YUI, & escape-string-regexp are. This looks like a case of taking something with clear utility, boxing it into a context it wasn't intended for, then dumping it because it didn't fit the box. |
we can ignore this decision and agree on a single standard method we, developers, can use, pointing at the possible footgun in a comment within the shipped code. We put such utility in a CDN and we live happily ever after. |
|
This is certainly disappointing but I'm glad the results were posted here in this way. I love reading meeting notes but it would be great to have this kind of update on each proposal after discussions. I'm okay with a template tag but still, this proposal would end up needed within that implementation so why not bring it in? Doing URL escaping in the browser doesn't save a developer from SQL injection if they did something like the above but no one questions the usefulness of those existing escape functions. |
exactly, same as escaping HTML, or using even String concatenation is a reality, RegExp can be created on the fly within a Function too ... what the hack is the point of avoiding methods focused on increasing security? Between totally unsafe and "maybe some noob will do something silly like that" there is quite an abyss. Disappointing to say the least. Thanks gosh I don't care about these decisions |
Uh, then why is the RegExp constructor itself standardized?
Saying that "avoiding a false sense of security" is going to help anything here is just plain wrong. There has to be somewhere the general public can complain directly to the people who voted against this. Right? More discussion at http://discourse.wicg.io/t/regexp-escape-str/832 |
|
The trouble I see with this is that it all comes down to arguments based on the behaviors of a hypothetical "average" developer nobody involved in the discussion would have any direct experience with, almost by definition. The point that I would make is, what real code do they see ending up broken, that would not have been broken without its presence? The TC's argument, I feel, is that not having a
And, without being given a RegExp.escape, they would not become enlightened as to how to do it correctly. They would (and do) try to fix it using the exact problem in front of them, using only what they've seen before, with as little thought into other cases where it would be a problem as possible - and that's going to generate a hell of a lot more corner cases than |
|
Thanks for the update. This is disappointing, I'll read the meeting notes and figure out how to go forward. I definitely don't think that a completely safe tag is that way forward though. |
|
Historical note: When Domenic first proposed this, we all thought that the maximally escaped form could be used reliably. While we thought that, I was in favor of it. The even-odd example took us all by surprise. I changed my mind only once I understood the unfixability of the even-odd problem. |
Hi Benjamin, why not?
RegExp.escape = (str) => RegExp.tag`${str}`;
I emphasize the word "help" above because the claim that we insist on something completely safe is not the way I would put it, because it leads to the misunderstandings seen earlier in this thread. Nothing will prevent developers from writing code unsafe in these regards. We're trying to make the safe way the easy way, so that a set of fairly straightforward design rules generally suffices to avoid these hazards. The issue is simple. RegExp source text is a little mini programming language with its own escaping rules. We've already heard the following song before: Having functions that provide local escaping fit for some contexts combined with use of string append to compose together source text from fragments. This has led to the nightmare that pervades the net, of escaping errors and injection attacks in html, css, sql, and more. We took a memory safe language, JavaScript, and by use of these manual-escape-and-append patterns, we reiterated the buffer-overflow-like vulnerability at a higher level of abstraction. Lisp, when embedded languages are composed of S-Expressions, is largely free of this entire class of vulnerability because they compose structure to create structure. All the relevant source text is first passed through a reliable reader and low-level universal parser before this composition happens. Lisp quasi-quote makes this especially pleasant. Of course, we do not have a universal textual syntax like S-Expressions that we're starting from. We created the template string mechanism (and E's earlier quali-literal mechanism) as a universal framework for solving the context-dependent escaping problem for embedded languages, each with their own surface syntax. |
|
Btw, in case it wasn't clear, I do not propose that the tag be named |
I feel like you've let this flaw blindside you, then. The nature of this kind of channeling attack has been a known issue with escapement for years - while I'm not going to argue against the value of a better model that checks individual RegExp components for validity, I will argue that it's short-sighted to say such a solution is the only adequate one. The more an end-developer (particularly one who's busy and only wants lo learn what's necessary to do their job) has to learn and adapt to make their solution "correct", the more likely it is that they're going to disregard that "correctness" in favor of doing it the maybe-sometimes-wrong way they already understand.
|
|
Well, the thing is that RegExp is not the same sort of language as SQL or HTML in this regard, there have been zero "RegExp injection" attacks (in this sense), there is no security guarantee to uphold here. I've been very in favour of contextual escaping for languages where not doing so presents a security risk. The problem is that making a tag severely complicates this proposal. I mind but am willing to do the extra work on my side, but this means it will much less likely get implemented in browsers, will take a lot more of the TC's time and so on. So, while a safe We have scanned the top million websites, have gone through tens of thousands of NPM packages and explored a total of over a billion lines of code. I did not see a single reasonable case that was not caught by the original "SyntaxCharacter" proposal. This trade between pragmatism and theoretical soundness is something I think ES needs to do here, just like C#, Python, Java, Perl, Ruby and pretty much every other language did before it. Just because a theoretical edge case exists doesn't mean we have to entertain it or focus our efforts based on it. |
|
I see here two interesting arguments for advancing RegExp.escape
I understand the force of the first argument and agree that it needs to be addressed. But I do not accept the second argument. A short term fix that become a long term hazard is a common development strategy and often appears in libraries that become de facto standards. When no good long term solution is known at the time, they often become de jure standards as well. However, when a better long term solution is known at the time, and subsumes all the functionality and convenience of the short term fix, I think the committee would be failing the community to admit the short term fix merely because the good long term solution is more work. Admitting it into the de jure standard means we're likely to be stuck with it forever. We're forever stuck with enough of these already. On the convenience point, compare RegExp.escape(str)and RegExp.tag`${str}`Once both exist, is there any reason whatsoever to prefer writing the first to the second?
Thank you. I'll be happy to help. |
|
I am really having hard time trying to understand what's the tag supposed to solve compared to new RegExp("\\\\" + RegExp.tag`${str}`)How does the user that would apparently fail with the initial example, avoid failing with the tag too? Thanks for any sort of clarification, I know TC39 has always reasons but this time I really can't figure out the what, the where, the when, and the how. Best Regards |
I'd love that, I think it would be interesting to apply the same formal analysis techniques you use in your work to show that the escaping is sound. I'm not sure it's something I'd put in the world's most popular programming language or that it would make a good API for people - but if you could point me in the right direction and tell me where to start this sounds like an interesting thing to do regardless of whether or not we build a language API out of it. The arguments for RegExp.escape as I see it are:
An idea was brought up here before (I think by @cscott) to support a second argument in |
|
@WebReflection a tag solution would presumably look like: A cursor would walk through the RegExp, keep track of its state and choose not to escape the string in this case because it is aware there is no need for an escape. This fails for dynamic length regular expressions which are actually one of the primary use cases here (Presuming we don't introduce a whole context-free escaping language here with iteration :D). |
|
@WebReflection the proposed solution would look like instead of |
So why isn't regex literal syntax being deprecated? I understand and agree with the idea but this is cause diverging paths for how to use a feature with baked in syntax support. Rather than a tag (or in addition to) add an escaped-interpolation syntax to regex literals. |
As far as I can tell, in the entire history of JavaScript after 1999 we have only succeeded at deprecating one bit of API: function.{caller,arguments} and arguments.{caller,callee}. And they are still dying a very slow death. I hope to outlive them, but we'll see. Our inability to effectively deprecate is exactly why we should be careful about admitting short term fixes into the standard. |
|
I say "after 1999" because that was the year ES3 was ratified. Whether the statement is still true from earlier, I have no idea. |
|
If the TC is looking to build something safe and Lisp-like into the language to work around the problems with RegExp I suggest adding a module for constructing a parsing expression grammar. |
|
so we are all presuming that if it's a tag no user will ever do the mistake we are supposing the same user would do with If the concern is a user that does this: new RegExp("\\" + RegExp.escape(str))why there is no concern on a user that could just do this instead? new RegExp("\\" + RegExp.tag`${str}`)It is a silly thing to do in the first case, I don't see why the second couldn't be as silly as the first one. Whoever would write the first case intentionally will eventually write the second one based on tags too. Whoever would move the text inside the tag could eventually do the same with So instead of I think the concern is a bit overrated in this thread, but I also believe TC39 won't change its mind so ... I will keep reading curious, and I will remain disappointed a part. |
Funny you should mention that. I replaced your "RegExp" with "[...]" above because the issue is more general. We need to make it easier to define tags for parsing new template languages. See https://github.com/erights/quasiParserGenerator . But please keep in mind that this is currently just an experiment not yet ready for serious use. |
No. Earlier I wrote:
|
Actually, all the formal work on these issues is @mikesamuel 's. Mike, care to comment? |
|
@erights addressing the other issues raised in that post would be nice:
And the two parameter solution:
|
|
I disagree with
It is simpler to implement, but is no simpler for users. From all the other points, it seems the de-facto process is successfully doing what you want. Given that, why do you need TC39 de-jure blessing? I don't understand the two argument solution. Perhaps if you explained how the template tag could be easily built on top I would understand it better. As to whether this would change my mind, I'll wait until I understand before reevaluating. |
|
Sorry I'm late to this thread. If people don't mind, I'd like to try to summarize the discussion so far to make sure we're on the same page.
It seems there are a number of unique contexts in regexps.
so we might escape And a number of kinds of inputs. For example, I've probably missed some, but trying to fill in a matrix might help see what feels dodgy as far as the principle of least surprise.
|
Because that's a big part of what a specification body does - spec de-facto solutions de-jura. Why specify
It's pretty simple, |
Could not disagree more. |
|
@lawrence-dol please enlighten me why oh why the "result of the TC39 presentation from 5 years ago" should remain open in my repo and telling people to instead check the issue pointing to a new TC39 champion wanting to pick this up and an alternative path of how we're going to get this (or something better anyway) is somehow bad? |
|
@benjamingr : My apologies -- I thought I was on a TC39 thread here. I've been multitasking too many things this morning. For whatever it's worth, I strongly support your proposal, and it's unfathomable to me how it was rejected. |
|
I fundamentally don't understand the issue that's being raised by "the even-odd problem": new RegExp("\\" + RegExp.escape("w"))
// same as
new RegExp("\\w")
// same as
/\w//\w/.test("a") // true, as expectedOkay, that makes sense. If I only partially escape my input... why should I expect the input to be safe? I should instead do: new RegExp(RegExp.escape("\\") + RegExp.escape("w"))
// same as
new RegExp("\\\\w")
// same as
/\\w//\\w/.test("a") // false, as expected
/^\\w$/.test("\\w") // true, as expectedTo me this seems perfectly intuitive - I can't ever use an odd number of Maybe "intuitive" is a strong word... "rational", let's say. What is the "problem" part of "the even-odd problem"?Is it that some developers don't know that you have to escape Is that you must always have an even number of If you have an odd number of
What about this behavior is unexpected or unsafe?I don't get it. It seems to behave in a perfectly predictable way that anyone familiar with basic strings should be able to reason about. Can someone explain what the problem is? |
There is no problem. I'm afraid there is no nice way of saying this, and I hate to be this confrontational, but this is entirely a consequence of @erights fundamentally misunderstanding what escape functions are, and sticking to his guns even after multiple people have tried to explain it to him. A regex escape function is trivial to create, tons of languages have them, and there's a common npm package and even Stack Overflow code snippet that will do the job. That npm package has 67 million weekly downloads. All of these work perfectly fine and are used daily without a problem—the Python docs don't even mention the supposed deal-breaking issue brought up here because it's perfectly obvious. As you pointed out, escape functions necessarily have a scope in which they are expected to work, and if you use them improperly they'll fail in predictable and documentable ways. This is a categorical truth about any kind of escape function. By the same logic we can say that there should be no Then after all of this was kindly pointed out by people who actually understand how this works, the excuse became that we need to look after the "average programmer" and restrict ourselves to just making a tagged template because it makes it harder to screw up. Even though it's obviously still trivial to misuse and it's clearly not the favored interface for a function like this, as evidenced by the myriad escape function libraries that are not tagged templates (can anyone even find one in the wild that is?) Everybody here is being extremely charitable and walking on eggshells out in fear of upsetting anyone from the committee, who are clearly ready to torpedo a good proposal and set us all back multiple years (this issue was opened 7 years ago) if they happen to be feeling like it on that day, but there actually just is no technical explanation for why this still isn't even on track to become part of the standard. The real explanation is that the committee has colossally failed in its duty due to a lack of technical understanding (and probably so due to one single individual), and this whole proposal is now a good example of how you should never assume that TC39 committee members know what they're talking about or are amenable to technical arguments. |
|
@msikma this is currently blocked on work not on Mark if we're honest. That said he is still very much against Honestly the (time and emotional) cost of standardization is such that I might end up just implementing this in Node and ask browsers to add it as a WHATWG API and we'll circumvent TC39? |
|
@benjamingr please don’t do that; that is a much worse outcome than never having it at all. |
|
@msikma it is inaccurate that it’s one individual; there are multiple people on the committee who feel the same as Mark does. Please avoid personal attacks; that’s not in keeping with our CoC. |
I feel like if I go through here I will spend another 5 years waiting and the API people are actually asking for ( On the other hand if I make a PR to Node and coordinate with WHATWG I get the API I've been asking for since 2015 in about a week. The interaction with WHATWG has been significantly easier than TC39, browsers would (most likely) also want this and Node sure does. So please help me understand why I would rather go through TC39 for something that is borderline platform and not language anyway (in other languages and ecosystems it's half-and-half)? I like you and (full honesty) I like Mark. Both of you have helped me in the past with a bunch of things when I needed help both in private and in public. What I don't like is the process and how skewed it is towards concerns that our users in Node frankly don't care about as you can see from this (and the other repo issues). Please give me a reason to trust the committee on this or faith this will progress at some point. |
|
The presentation I made that reactivated the proposal at stage 1 is the entire committee giving consensus to reconsider it, which woudn't have happened if anyone's position remained immovable. I'm sorry I haven't made the time to do more work on it since then, but I can assure you that, at least, I am confident it has a real shot at advancement. |
|
@ljharb ok, let me know how it goes |
I'm sorry to say that the committee declined to accept this proposal as-is. In the end, the concern (largely driven by @erights, although others were sympathetic) was that escaping cannot be done in a way that is totally safe in all cases, even with the extended safe set. For example,
is a hazard. (It does not matter that
"\\"by itself is not a valid regex fragment. The above does not error to indicate that; it just silently creates a bug.)Note that even if you attempted to correct this by escaping all initial characters, you then have
as a bug. @erights called this the "even-odd problem."
The general feeling was that to be completely safe you need a context-dependent join operation. The feeling was then that if author code wants to do unsafe escaping, the function is easy to write, but if something is going to be standardized, it must be completely safe. The idea that other languages are not held to this standard did not convince them, I'm sorry to say.
The committee recognized that you might not be willing to do work on a different, more complicated proposal. But, if you were interested, they think that a template string tag solution would be the best to investigate. Such a solution would be able to use the context of each insertion to do a safe join operation between any two fragments, instead of depending on string concatenation. Template strings can also be twisted to work in dynamic situations (e.g. those that this proposal would cover via
new RegExp(pieces.map(RegExp.escape).join("/"))) by directly calling the tag function, probably with an adapter to work through the awkwardness of the parameter form for template tags. So this would be strictly more powerful. This was also preferred (for reasons I don't really remember) to a building-block approach of e.g.RegExp.concatplusRegExp.escape(used asRegExp.concat("\\", RegExp.escape(x))).I'm pretty disappointed by this, and am sorry you and others sunk so much work into it with such an outcome. But, what can we do.
The text was updated successfully, but these errors were encountered: