Skip to content

feat: enabling safe functions in expression engine #5403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: enabling safe functions in expression engine #5403

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3ccb076
enabling safe functions in expression engine
zehjotkah Sep 23, 2025
ec5789f
feat(expressions): Add support for safe, non-mutating String and Arra…
zehjotkah Sep 24, 2025
454b89e
update expression.test.ts to use test.each
zehjotkah Sep 24, 2025
fe2ded3
Improved error messages to be specific
zehjotkah Sep 25, 2025
64e5b73
add optional chaining
zehjotkah Sep 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 102 additions & 1 deletion packages/sdk/src/expression.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ describe("lint expression", () => {
).toEqual([
error(1, 13, "Functions are not supported"),
error(17, 25, "Functions are not supported"),
error(29, 33, "Functions are not supported"),
error(29, 33, `"fn" function is not supported`),
]);
});

Expand Down Expand Up @@ -220,6 +220,71 @@ describe("lint expression", () => {
error(1, 8, `"await" keyword is not supported`),
]);
});

test.each([
"toLowerCase",
"replace",
"split",
"at",
"endsWith",
"includes",
"startsWith",
"toUpperCase",
"toLocaleLowerCase",
"toLocaleUpperCase",
])("allow safe string method: %s", (method) => {
expect(
lintExpression({
expression: `title.${method}()`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
});

test.each(["at", "includes", "join", "slice"])(
"allow safe array method: %s",
(method) => {
expect(
lintExpression({
expression: `arr.${method}()`,
availableVariables: new Set(["arr"]),
})
).toEqual([]);
}
);

test("allow chained string methods", () => {
expect(
lintExpression({
expression: `title.toLowerCase().replace(" ", "-").split("-")`,
availableVariables: new Set(["title"]),
})
).toEqual([]);
});

test("forbid unsafe method calls", () => {
expect(
lintExpression({
expression: `arr.pop()`,
availableVariables: new Set(["arr"]),
})
).toEqual([error(0, 9, `"pop" function is not supported`)]);
expect(
lintExpression({
expression: `obj.push(1)`,
availableVariables: new Set(["obj"]),
})
).toEqual([error(0, 11, `"push" function is not supported`)]);
});

test("forbid standalone function calls", () => {
expect(
lintExpression({
expression: `func()`,
availableVariables: new Set(["func"]),
})
).toEqual([error(0, 6, `"func" function is not supported`)]);
});
});

test("check simple literals", () => {
Expand Down Expand Up @@ -346,6 +411,42 @@ describe("transpile expression", () => {
}
expect(errorString).toEqual(`Unexpected token (1:0) in ""`);
});

test("transpile string methods with optional chaining", () => {
expect(
transpileExpression({
expression: "title.toLowerCase()",
executable: true,
})
).toEqual("title?.toLowerCase()");
expect(
transpileExpression({
expression: "user.name.replace(' ', '-')",
executable: true,
})
).toEqual("user?.name?.replace(' ', '-')");
expect(
transpileExpression({
expression: "data.title.split('-')",
executable: true,
})
).toEqual("data?.title?.split('-')");
});

test("transpile chained string methods with optional chaining", () => {
expect(
transpileExpression({
expression: "title.toLowerCase().replace(/\\s+/g, '-')",
executable: true,
})
).toEqual("title?.toLowerCase()?.replace(/\\s+/g, '-')");
expect(
transpileExpression({
expression: "user.name.toLowerCase().replace(' ', '-').split('-')",
executable: true,
})
).toEqual("user?.name?.toLowerCase()?.replace(' ', '-')?.split('-')");
});
});

describe("object expression transformations", () => {
Expand Down
38 changes: 37 additions & 1 deletion packages/sdk/src/expression.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,21 @@ type ExpressionVisitor = {
[K in Expression["type"]]: (node: Extract<Expression, { type: K }>) => void;
};

const allowedStringMethods = new Set([
"toLowerCase",
"replace",
"split",
"at",
"endsWith",
"includes",
"startsWith",
"toUpperCase",
"toLocaleLowerCase",
"toLocaleUpperCase",
]);

const allowedArrayMethods = new Set(["at", "includes", "join", "slice"]);

export const lintExpression = ({
expression,
availableVariables = new Set(),
Expand Down Expand Up @@ -112,7 +127,28 @@ export const lintExpression = ({
ThisExpression: addMessage(`"this" keyword is not supported`),
FunctionExpression: addMessage("Functions are not supported"),
UpdateExpression: addMessage("Increment and decrement are not supported"),
CallExpression: addMessage("Functions are not supported"),
CallExpression(node) {
let calleeName;
if (node.callee.type === "MemberExpression") {
if (node.callee.property.type === "Identifier") {
const methodName = node.callee.property.name;
if (
allowedStringMethods.has(methodName) ||
allowedArrayMethods.has(methodName)
) {
return;
}
calleeName = methodName;
}
} else if (node.callee.type === "Identifier") {
calleeName = node.callee.name;
}
if (calleeName) {
addMessage(`"${calleeName}" function is not supported`)(node);
} else {
addMessage("Functions are not supported")(node);
}
},
NewExpression: addMessage("Classes are not supported"),
SequenceExpression: addMessage(`Only single expression is supported`),
ArrowFunctionExpression: addMessage("Functions are not supported"),
Expand Down