Skip to content

feat: enabling safe functions in expression engine #5403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: enabling safe functions in expression engine #5403

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3ccb076
enabling safe functions in expression engine
zehjotkah Sep 23, 2025
ec5789f
feat(expressions): Add support for safe, non-mutating String and Arra…
zehjotkah Sep 24, 2025
454b89e
update expression.test.ts to use test.each
zehjotkah Sep 24, 2025
fe2ded3
Improved error messages to be specific
zehjotkah Sep 25, 2025
64e5b73
add optional chaining
zehjotkah Sep 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions packages/sdk/src/expression.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,60 @@ describe("lint expression", () => {
error(1, 8, `"await" keyword is not supported`),
]);
});

test("allow safe string methods", () => {
expect(
lintExpression({
expression: `title.toLowerCase()`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
expect(
lintExpression({
expression: `title.replace(" ", "-")`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
expect(
lintExpression({
expression: `title.split("-")`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
});

test("allow chained string methods", () => {
expect(
lintExpression({
expression: `title.toLowerCase().replace(" ", "-").split("-")`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
});

test("forbid unsafe method calls", () => {
expect(
lintExpression({
expression: `arr.pop()`,
availableVariables: new Set(["arr"]),
})
).toEqual([error(0, 9, "Functions are not supported")]);
expect(
lintExpression({
expression: `obj.push(1)`,
availableVariables: new Set(["obj"]),
})
).toEqual([error(0, 11, "Functions are not supported")]);
});

test("forbid standalone function calls", () => {
expect(
lintExpression({
expression: `func()`,
availableVariables: new Set(["func"]),
})
).toEqual([error(0, 6, "Functions are not supported")]);
});
});

test("check simple literals", () => {
Expand Down Expand Up @@ -346,6 +400,42 @@ describe("transpile expression", () => {
}
expect(errorString).toEqual(`Unexpected token (1:0) in ""`);
});

test("transpile string methods with optional chaining", () => {
expect(
transpileExpression({
expression: "title.toLowerCase()",
executable: true,
})
).toEqual("title?.toLowerCase()");
expect(
transpileExpression({
expression: "user.name.replace(' ', '-')",
executable: true,
})
).toEqual("user?.name?.replace(' ', '-')");
expect(
transpileExpression({
expression: "data.title.split('-')",
executable: true,
})
).toEqual("data?.title?.split('-')");
});

test("transpile chained string methods with optional chaining", () => {
expect(
transpileExpression({
expression: "title.toLowerCase().replace(/\\s+/g, '-')",
executable: true,
})
).toEqual("title?.toLowerCase()?.replace(/\\s+/g, '-')");
expect(
transpileExpression({
expression: "user.name.toLowerCase().replace(' ', '-').split('-')",
executable: true,
})
).toEqual("user?.name?.toLowerCase()?.replace(' ', '-')?.split('-')");
});
});

describe("object expression transformations", () => {
Expand Down
15 changes: 14 additions & 1 deletion packages/sdk/src/expression.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,20 @@ export const lintExpression = ({
ThisExpression: addMessage(`"this" keyword is not supported`),
FunctionExpression: addMessage("Functions are not supported"),
UpdateExpression: addMessage("Increment and decrement are not supported"),
CallExpression: addMessage("Functions are not supported"),
CallExpression(node) {
// Check if this is a method call (MemberExpression) or standalone function call
if (node.callee.type === "MemberExpression") {
// Allow specific safe string methods
const allowedMethods = new Set(["toLowerCase", "replace", "split"]);
if (
node.callee.property.type === "Identifier" &&
allowedMethods.has(node.callee.property.name)
) {
return;
}
}
addMessage("Functions are not supported")(node);
},
NewExpression: addMessage("Classes are not supported"),
SequenceExpression: addMessage(`Only single expression is supported`),
ArrowFunctionExpression: addMessage("Functions are not supported"),
Expand Down
Loading