ensureSlash: Fix accidental string-to-NaN coercion #4424
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Summary: The `hasSlash` method uses `path.substr(path, path.length - 1)` to remove the last character from `path`. Clearly, the first parameter is suspect; it should be `0`. The code works as written, but only very accidentally: the first parameter is coerced by `ToNumber` to `NaN`, which is then coerced by `ToInteger` to `+0`, per [the spec][1]. [1]: https://www.ecma-international.org/ecma-262/6.0/#sec-string.prototype.substr Test Plan: Reading the spec should be sufficient. To verify in the Real World: ```js const path = "has-slash-but-does-not-need-slash/" const a = path.substr(path, path.length - 1); const b = path.substr(0, path.length - 1); console.log(a === b); // true console.log(a); // has-slash-but-does-not-need-slash ``` wchargin-branch: ensureslash-accidental-coercion
|
Wow, excellent catch and analysis. Thanks! |
|
You're welcome! Thanks for the quick response. |
|
(Thanks to @decentralion for spotting this while adding Flow types to some of our code. :-) ) |
zmitry
pushed a commit
to zmitry/create-react-app
that referenced
this pull request
Sep 30, 2018
Summary: The `hasSlash` method uses `path.substr(path, path.length - 1)` to remove the last character from `path`. Clearly, the first parameter is suspect; it should be `0`. The code works as written, but only very accidentally: the first parameter is coerced by `ToNumber` to `NaN`, which is then coerced by `ToInteger` to `+0`, per [the spec][1]. [1]: https://www.ecma-international.org/ecma-262/6.0/#sec-string.prototype.substr Test Plan: Reading the spec should be sufficient. To verify in the Real World: ```js const path = "has-slash-but-does-not-need-slash/" const a = path.substr(path, path.length - 1); const b = path.substr(0, path.length - 1); console.log(a === b); // true console.log(a); // has-slash-but-does-not-need-slash ``` wchargin-branch: ensureslash-accidental-coercion
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
The
hasSlashmethod usespath.substr(path, path.length - 1)toremove the last character from
path. Clearly, the first parameter issuspect; it should be
0. The code works as written, but only veryaccidentally: the first parameter is coerced by
ToNumbertoNaN,which is then coerced by
ToIntegerto+0, per the spec.Test Plan:
Reading the spec should be sufficient. To verify in the Real World:
wchargin-branch: ensureslash-accidental-coercion