I confess that I'm at a bit of a loss to know what sort of side effects would be common when serializing something? Is there an obvious class of reasons for this that I'm just accidentally ignoring right off?
I confess that I'm at a bit of a loss to know what sort of side effects would be common when serializing something? Is there an obvious class of reasons for this that I'm just accidentally ignoring right off?
A simple example is `toJSON`. If an object defines that method, it'll get invoked automatically by JSON.stringify and it could have arbitrary side effects.
I think it's less about side effects being common when serializing, just that their fast path avoids anything that could have side effects (like toJSON).
The article touches briefly on this.
Right, I get that you could define something to have side effects. My question is why would you? What are some expected visible side effects of converting something to json?
That said, I see that they called it out as you say, now. When I first read it, I thought they watched for side effects.
I'm assuming they have an allow list on all standard types. The date types, in particular, often have a toJson that seems like it should still be used? (Or am I wrong on that, too? :D )
Calling a property getter can have side effects, so if you serialize an object with a getter you have to be very cautious to make sure nothing weird happens underneath you during serialization.
People have exploited this sort of side effect to get bug bounties before via type confusion attacks, iirc.
Right, I get how you could make something that would cause issues. I'm curious why you would want to? :D
It usually happens by accident. For example, let's say you have a class Person with two data members named firstName and lastName. We're already in trouble, but let's make it worse: It has a getter named fullName which returns $`{this.firstName} {this.lastName}`.
That getter looks inoffensive and will, depending on your requirements, work just fine. But it has side effects because the string interpolation allocates and could trigger a garbage collection.
Note that if you're using modern JS 'class' blocks a 'get x ()' will be ignored by JSON.stringify, so if you're aiming to reproduce this you have to use old-school Object.defineProperty instead.
I don't view that as a side effect? That is, computed fields are not necessarily side effects, are they? I was thinking more like objects that keep track of how many times they were accessed. (This pattern was discussed recently for python dicts.)
I'm sure there are plenty of other similar uses that I just don't know about.
That said, if this is really included computed fields, that seems far broader.