Skn0tt
commented
4 years ago Interesting idea, indeed!
I‘ve thought a lot about adding support for functions. They‘re the one big thing that‘s missing from SuperJSON to consider it fully JS-compatible, so it‘d be quite intriguing, wouldn‘t it? On the other hand, you can’t just send a serialized function definition over the wire, as it‘d open the doors to remote code execution.
In this article on „defunctionalisation“, an interesting point is made: Can‘t we replace any function in our code with a description of it? Given the following code ...
// /adder.ts
function adder(a: number) {
return function add(b: number) {
return a + b;
}
}... when passing adder(5) to SuperJSON, SuperJSON could serialize it to /adder.ts:adder:5, right?
There‘s still big problems with this approach:
- it requires statical analysis, which is notoriously hard with JS and defeats the SuperJSON‘s „replacement to JSON.stringify“ claim
- it‘s still prone to remote code execution, as attackers could use functions from your codebase to cause harm
In contrast to Amazon States Language, SuperJSON needs to work for communication from untrusted parties (client) to trusted parties (server). That‘s why we have to deal with remote code execution.
While I can absolutely see the need for this, I don‘t really see a way to make this work, sadly ... If you‘ve got a Geistesblitz though, I‘d love to hear it! :D
davidkpiano
Hey, I've been exploring JSON serialization libraries to use with XState that supports serializing an entire machine definition.
One of the missing parts is the ability to serialize pure, isolated functions, such as:
I can do this ad-hoc, but it would be useful to have this within a library.
A source of inspiration can be intrinsic functions in Amazon States Language, just to show that there is a need for this:
Would this be something that might be considered?