odoo/o-spreadsheet#8694
Created by BI, Lucas Lefèvre (lul)
Merged
at 7488c1cb11ef711b7defed903cccf1221241cc30
Statuses:
- label
- odoo:master-compiler-lul
- head
- 50160c6cab3a6a99099ed8e231007485ea985ade
- merged
- 5 days ago by BI, Rémi Rahir (rar)
| odoo/o-spreadsheet | |
|---|---|
| master | #8694 |
[IMP] compiler: force validated strings
The formula compiler builds JS source by string concatenation and feeds it to new Function(...). Several of those strings came from user input (function names, operator symbols), so any value that slipped past the parser's validation could end up executed as code.
This commit introduces a JsString branded type plus a jsStr tagged-template helper:
generated code can only be assembled from values explicitly marked trusted, and untrusted strings must go through dangerouslyCreateJsStr, which makes the trust decision auditable.
Description:
description of this task, what is implemented and why it is implemented that way.
Task: TASK_ID
review checklist
- [ ] feature is organized in plugin, or UI components
- [ ] support of duplicate sheet (deep copy)
- [ ] in model/core: ranges are Range object, and can be adapted (adaptRanges)
- [ ] in model/UI: ranges are strings (to show the user)
- [ ] undo-able commands (uses this.history.update)
- [ ] multiuser-able commands (has inverse commands and transformations where needed)
- [ ] new/updated/removed commands are documented
- [ ] exportable in excel
- [ ] translations (_t("qmsdf %s", abc))
- [ ] unit tested
- [ ] clean commented code
- [ ] track breaking changes
- [ ] doc is rebuild (npm run doc)
- [ ] status is correct in Odoo