mirror of
https://github.com/zebrajr/react.git
synced 2025-12-06 12:20:20 +01:00
843ec07021
This lets a registered object or value be "tainted", which we block from crossing the serialization boundary. It's only allowed to stay in-memory. This is an extra layer of protection against mistakes of transferring data from a data access layer to a client. It doesn't provide perfect protection, because it doesn't trace through derived values and substrings. So it shouldn't be used as the only security layer but more layers are better. `taintObjectReference` is for specific object instances, not any nested objects or values inside that object. It's useful to avoid specific objects from getting passed as is. It ensures that you don't accidentally leak values in a specific context. It can be for security reasons like tokens, privacy reasons like personal data or performance reasons like avoiding passing large objects over the wire. It might be privacy violation to leak the age of a specific user, but the number itself isn't blocked in any other context. As soon as the value is extracted and passed specifically without the object, it can therefore leak. `taintUniqueValue` is useful for high entropy values such as hashes, tokens or crypto keys that are very unique values. In that case it can be useful to taint the actual primitive values themselves. These can be encoded as a string, bigint or typed array. We don't currently check for this value in a substring or inside other typed arrays. Since values can be created from different sources they don't just follow garbage collection. In this case an additional object must be provided that defines the life time of this value for how long it should be blocked. It can be `globalThis` for essentially forever, but that risks leaking memory for ever when you're dealing with dynamic values like reading a token from a database. So in that case the idea is that you pass the object that might end up in cache. A request is the only thing that is expected to do any work. The principle is that you can derive values from out of a tainted entry during a request. Including stashing it in a per request cache. What you can't do is store a derived value in a global module level cache. At least not without also tainting the object.
299 lines
7.5 KiB
JavaScript
299 lines
7.5 KiB
JavaScript
/**
|
|
* Copyright (c) Meta Platforms, Inc. and affiliates.
|
|
*
|
|
* This source code is licensed under the MIT license found in the
|
|
* LICENSE file in the root directory of this source tree.
|
|
*
|
|
* @flow
|
|
*/
|
|
|
|
/* eslint-disable */
|
|
|
|
declare var __PROFILE__: boolean;
|
|
declare var __UMD__: boolean;
|
|
declare var __EXPERIMENTAL__: boolean;
|
|
declare var __VARIANT__: boolean;
|
|
|
|
declare var __REACT_DEVTOOLS_GLOBAL_HOOK__: any; /*?{
|
|
inject: ?((stuff: Object) => void)
|
|
};*/
|
|
|
|
declare var globalThis: Object;
|
|
|
|
declare var queueMicrotask: (fn: Function) => void;
|
|
declare var reportError: (error: mixed) => void;
|
|
declare var AggregateError: Class<Error>;
|
|
|
|
declare var FinalizationRegistry: any;
|
|
|
|
declare module 'create-react-class' {
|
|
declare var exports: React$CreateClass;
|
|
}
|
|
|
|
declare var trustedTypes: {
|
|
isHTML: (value: any) => boolean,
|
|
isScript: (value: any) => boolean,
|
|
isScriptURL: (value: any) => boolean,
|
|
// TrustedURLs are deprecated and will be removed soon: https://github.com/WICG/trusted-types/pull/204
|
|
isURL?: (value: any) => boolean,
|
|
};
|
|
|
|
// ReactFeatureFlags www fork
|
|
declare module 'ReactFeatureFlags' {
|
|
declare module.exports: any;
|
|
}
|
|
|
|
// ReactFiberErrorDialog www fork
|
|
declare module 'ReactFiberErrorDialog' {
|
|
declare module.exports: {showErrorDialog: (error: mixed) => boolean, ...};
|
|
}
|
|
|
|
// EventListener www fork
|
|
declare module 'EventListener' {
|
|
declare module.exports: {
|
|
listen: (
|
|
target: EventTarget,
|
|
type: string,
|
|
callback: Function,
|
|
priority?: number,
|
|
options?: {passive: boolean, ...},
|
|
) => mixed,
|
|
capture: (target: EventTarget, type: string, callback: Function) => mixed,
|
|
captureWithPassiveFlag: (
|
|
target: EventTarget,
|
|
type: string,
|
|
callback: Function,
|
|
passive: boolean,
|
|
) => mixed,
|
|
bubbleWithPassiveFlag: (
|
|
target: EventTarget,
|
|
type: string,
|
|
callback: Function,
|
|
passive: boolean,
|
|
) => mixed,
|
|
...
|
|
};
|
|
}
|
|
|
|
declare function __webpack_chunk_load__(id: string): Promise<mixed>;
|
|
declare var __webpack_require__: ((id: string) => any) & {
|
|
u: string => string,
|
|
};
|
|
|
|
declare function __turbopack_load__(id: string): Promise<mixed>;
|
|
declare var __turbopack_require__: ((id: string) => any) & {
|
|
u: string => string,
|
|
};
|
|
|
|
declare module 'fs/promises' {
|
|
declare var access: (path: string, mode?: number) => Promise<void>;
|
|
declare var lstat: (
|
|
path: string,
|
|
options?: ?{bigint?: boolean},
|
|
) => Promise<mixed>;
|
|
declare var readdir: (
|
|
path: string,
|
|
options?:
|
|
| ?string
|
|
| {
|
|
encoding?: ?string,
|
|
withFileTypes?: ?boolean,
|
|
},
|
|
) => Promise<Buffer>;
|
|
declare var readFile: (
|
|
path: string,
|
|
options?:
|
|
| ?string
|
|
| {
|
|
encoding?: ?string,
|
|
},
|
|
) => Promise<Buffer>;
|
|
declare var readlink: (
|
|
path: string,
|
|
options?:
|
|
| ?string
|
|
| {
|
|
encoding?: ?string,
|
|
},
|
|
) => Promise<mixed>;
|
|
declare var realpath: (
|
|
path: string,
|
|
options?:
|
|
| ?string
|
|
| {
|
|
encoding?: ?string,
|
|
},
|
|
) => Promise<mixed>;
|
|
declare var stat: (
|
|
path: string,
|
|
options?: ?{bigint?: boolean},
|
|
) => Promise<mixed>;
|
|
}
|
|
declare module 'pg' {
|
|
declare var Pool: (options: mixed) => {
|
|
query: (query: string, values?: Array<mixed>) => void,
|
|
};
|
|
}
|
|
|
|
declare module 'util' {
|
|
declare function debuglog(section: string): (data: any, ...args: any) => void;
|
|
declare function format(format: string, ...placeholders: any): string;
|
|
declare function log(string: string): void;
|
|
declare function inspect(object: any, options?: util$InspectOptions): string;
|
|
declare function isArray(object: any): boolean;
|
|
declare function isRegExp(object: any): boolean;
|
|
declare function isDate(object: any): boolean;
|
|
declare function isError(object: any): boolean;
|
|
declare function inherits(
|
|
constructor: Function,
|
|
superConstructor: Function,
|
|
): void;
|
|
declare function deprecate(f: Function, string: string): Function;
|
|
declare function promisify(f: Function): Function;
|
|
declare function callbackify(f: Function): Function;
|
|
declare class TextDecoder {
|
|
constructor(
|
|
encoding?: string,
|
|
options?: {
|
|
fatal?: boolean,
|
|
ignoreBOM?: boolean,
|
|
...
|
|
},
|
|
): void;
|
|
decode(
|
|
input?: ArrayBuffer | DataView | $TypedArray,
|
|
options?: {stream?: boolean, ...},
|
|
): string;
|
|
encoding: string;
|
|
fatal: boolean;
|
|
ignoreBOM: boolean;
|
|
}
|
|
declare class TextEncoder {
|
|
constructor(encoding?: string): TextEncoder;
|
|
encode(buffer: string): Uint8Array;
|
|
encodeInto(
|
|
buffer: string,
|
|
dest: Uint8Array,
|
|
): {read: number, written: number};
|
|
encoding: string;
|
|
}
|
|
}
|
|
|
|
declare module 'busboy' {
|
|
import type {Writable, Readable} from 'stream';
|
|
|
|
declare interface Info {
|
|
encoding: string;
|
|
mimeType: string;
|
|
}
|
|
|
|
declare interface FileInfo extends Info {
|
|
filename: string;
|
|
}
|
|
|
|
declare interface FieldInfo extends Info {
|
|
nameTruncated: boolean;
|
|
valueTruncated: boolean;
|
|
}
|
|
|
|
declare interface BusboyEvents {
|
|
file: (name: string, stream: Readable, info: FileInfo) => void;
|
|
field: (name: string, value: string, info: FieldInfo) => void;
|
|
partsLimit: () => void;
|
|
filesLimit: () => void;
|
|
fieldsLimit: () => void;
|
|
error: (error: mixed) => void;
|
|
close: () => void;
|
|
}
|
|
declare interface Busboy extends Writable {
|
|
addListener<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
addListener(
|
|
event: string | symbol,
|
|
listener: (...args: any[]) => void,
|
|
): Busboy;
|
|
|
|
on<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
on(event: string | symbol, listener: (...args: any[]) => void): Busboy;
|
|
|
|
once<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
once(event: string | symbol, listener: (...args: any[]) => void): Busboy;
|
|
|
|
removeListener<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
removeListener(
|
|
event: string | symbol,
|
|
listener: (...args: any[]) => void,
|
|
): Busboy;
|
|
|
|
off<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
off(event: string | symbol, listener: (...args: any[]) => void): Busboy;
|
|
|
|
prependListener<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
prependListener(
|
|
event: string | symbol,
|
|
listener: (...args: any[]) => void,
|
|
): Busboy;
|
|
|
|
prependOnceListener<Event: $Keys<BusboyEvents>>(
|
|
event: Event,
|
|
listener: BusboyEvents[Event],
|
|
): Busboy;
|
|
prependOnceListener(
|
|
event: string | symbol,
|
|
listener: (...args: any[]) => void,
|
|
): Busboy;
|
|
}
|
|
}
|
|
|
|
declare module 'pg/lib/utils' {
|
|
declare module.exports: {
|
|
prepareValue(val: any): mixed,
|
|
};
|
|
}
|
|
|
|
declare class AsyncLocalStorage<T> {
|
|
disable(): void;
|
|
getStore(): T | void;
|
|
run(store: T, callback: (...args: any[]) => void, ...args: any[]): void;
|
|
enterWith(store: T): void;
|
|
}
|
|
|
|
declare module 'async_hooks' {
|
|
declare class AsyncLocalStorage<T> {
|
|
disable(): void;
|
|
getStore(): T | void;
|
|
run(store: T, callback: (...args: any[]) => void, ...args: any[]): void;
|
|
enterWith(store: T): void;
|
|
}
|
|
}
|
|
|
|
declare module 'node:worker_threads' {
|
|
declare class MessageChannel {
|
|
port1: MessagePort;
|
|
port2: MessagePort;
|
|
}
|
|
}
|
|
|
|
declare var Bun: {
|
|
hash(
|
|
input: string | $TypedArray | DataView | ArrayBuffer | SharedArrayBuffer,
|
|
): number,
|
|
};
|