Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Examples: Set channelOptions to disallow function serialization #18071

Merged
merged 23 commits into from May 10, 2022
Merged

Examples: Set channelOptions to disallow function serialization #18071

merged 23 commits into from May 10, 2022

Conversation

shilman
Copy link
Member

@shilman shilman commented Apr 26, 2022
edited

Issue: N/A

What I did

Update the examples to use allowFunction: false for improved security

How to test

N/A

@nx-cloud
Copy link

nx-cloud bot commented Apr 26, 2022
edited

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 835639d. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this branch

✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

@ndelangen
Copy link
Member

Odd, I'd expect this to fix the issue because:

storybook/lib/channel-postmessage/src/index.ts

Lines 78 to 97 in c61f83d

const eventOptions = Object.fromEntries(
Object.entries({
allowRegExp,
allowFunction,
allowSymbol,
allowDate,
allowUndefined,
allowClass,
maxDepth,
space,
lazyEval,
}).filter(([k, v]) => typeof v !== 'undefined')
);
const stringifyOptions = {
...defaultEventOptions,
...(global.CHANNEL_OPTIONS || {}),
...eventOptions,
};

@ndelangen ndelangen self-assigned this Apr 28, 2022
@ndelangen ndelangen added bug patch:yes Bugfix & documentation PR that need to be picked to main branch labels Apr 28, 2022
@shilman shilman changed the title Examples: Disable channel functions Core: Fix channelOptions support Apr 29, 2022
@shilman shilman marked this pull request as ready for review May 9, 2022 01:56
@shilman shilman added maintenance User-facing maintenance tasks and removed bug patch:yes Bugfix & documentation PR that need to be picked to main branch labels May 9, 2022
@shilman
Copy link
Member Author

shilman commented May 9, 2022

@ndelangen FYI I merged in #18164 to test out that change

@shilman shilman changed the title Core: Fix channelOptions support Examples: Set channelOptions to disallow function serialization May 10, 2022
@shilman shilman merged commit a17ea78 into next May 10, 2022
@shilman shilman deleted the examples/disable-channel-functions branch May 10, 2022 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ndelangen ndelangen

Labels
maintenance User-facing maintenance tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@shilman @ndelangen