Add an additional template object check

[rictic]

This makes it much harder for untrusted values in a databinding to masquerade as internal lit types. Specifically, this ensures that a template result value can't be obtained from JSON.parse.

Fixes #2306

[changeset-bot]

🦋 Changeset detected

Latest commit: 0d438f5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

📊 Tachometer Benchmark Results

Summary

nop-update

• lit-html-kitchen-sink: unsure 🔍 -0% - +2% (-0.08ms - +0.40ms)
  ^{this-change vs tip-of-tree}

render

• lit-element-list: unsure 🔍 -1% - +1% (-0.66ms - +0.59ms)
  ^{this-change vs tip-of-tree}
• lit-html-kitchen-sink: unsure 🔍 -2% - +3% (-0.45ms - +0.90ms)
  ^{this-change vs tip-of-tree}
• lit-html-repeat: unsure 🔍 -3% - +0% (-0.35ms - +0.02ms)
  ^{this-change vs tip-of-tree}
• lit-html-template-heavy: slower ❌ 1% - 3% (0.61ms - 1.78ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -2% - +1% (-0.85ms - +0.45ms)
  ^{this-change vs tip-of-tree}

update

• lit-element-list: unsure 🔍 -1% - +0% (-3.89ms - +2.31ms)
  ^{this-change vs tip-of-tree}
• lit-html-kitchen-sink: unsure 🔍 -1% - +4% (-0.63ms - +3.46ms)
  ^{this-change vs tip-of-tree}
• lit-html-repeat: unsure 🔍 -1% - +1% (-3.13ms - +2.88ms)
  ^{this-change vs tip-of-tree}
• lit-html-template-heavy: unsure 🔍 -0% - +2% (-0.45ms - +1.94ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -1% - +0% (-4.55ms - +2.50ms)
  ^{this-change vs tip-of-tree}

update-reflect

• lit-element-list: unsure 🔍 -1% - +0% (-5.10ms - +0.81ms)
  ^{this-change vs tip-of-tree}
• reactive-element-list: unsure 🔍 -0% - +1% (-2.42ms - +6.87ms)
  ^{this-change vs tip-of-tree}

Results

lit-element-list

• Browser: chrome-headless 96.0.4664.45
• Sample size: 50
• Built by: Benchmarks #2047

• Commit: 69a7470

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	71.21ms - 72.06ms	-	unsure 🔍 -1% - +1% -0.66ms - +0.59ms	faster ✔ 21% - 23% 19.14ms - 21.04ms
tip-of-tree tip-of-tree	71.21ms - 72.13ms	unsure 🔍 -1% - +1% -0.59ms - +0.66ms	-	faster ✔ 21% - 23% 19.09ms - 21.03ms
previous-release previous-release	90.87ms - 92.58ms	slower ❌ 27% - 29% 19.14ms - 21.04ms	slower ❌ 27% - 29% 19.09ms - 21.03ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	636.79ms - 641.01ms	-	unsure 🔍 -1% - +0% -3.89ms - +2.31ms	faster ✔ 7% - 8% 50.89ms - 58.54ms
tip-of-tree tip-of-tree	637.42ms - 641.96ms	unsure 🔍 -0% - +1% -2.31ms - +3.89ms	-	faster ✔ 7% - 8% 50.01ms - 57.83ms
previous-release previous-release	690.43ms - 696.80ms	slower ❌ 8% - 9% 50.89ms - 58.54ms	slower ❌ 8% - 9% 50.01ms - 57.83ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	700.76ms - 705.43ms	-	unsure 🔍 -1% - +0% -5.10ms - +0.81ms	faster ✔ 4% - 5% 29.23ms - 38.15ms
tip-of-tree tip-of-tree	703.43ms - 707.06ms	unsure 🔍 -0% - +1% -0.81ms - +5.10ms	-	faster ✔ 4% - 5% 27.34ms - 35.76ms
previous-release previous-release	732.99ms - 740.59ms	slower ❌ 4% - 5% 29.23ms - 38.15ms	slower ❌ 4% - 5% 27.34ms - 35.76ms	-

lit-html-kitchen-sink

• Browser: chrome-headless 96.0.4664.45
• Sample size: 30
• Built by: Benchmarks #2047

• Commit: 69a7470

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	28.67ms - 29.79ms	-	unsure 🔍 -2% - +3% -0.45ms - +0.90ms	faster ✔ 13% - 17% 4.42ms - 6.10ms
tip-of-tree tip-of-tree	28.63ms - 29.39ms	unsure 🔍 -3% - +2% -0.90ms - +0.45ms	-	faster ✔ 14% - 18% 4.75ms - 6.21ms
previous-release previous-release	33.86ms - 35.12ms	slower ❌ 15% - 21% 4.42ms - 6.10ms	slower ❌ 16% - 22% 4.75ms - 6.21ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	79.93ms - 82.86ms	-	unsure 🔍 -1% - +4% -0.63ms - +3.46ms	faster ✔ 1% - 6% 0.53ms - 5.43ms
tip-of-tree tip-of-tree	78.56ms - 81.41ms	unsure 🔍 -4% - +1% -3.46ms - +0.63ms	-	faster ✔ 2% - 8% 1.97ms - 6.82ms
previous-release previous-release	82.41ms - 86.34ms	slower ❌ 1% - 7% 0.53ms - 5.43ms	slower ❌ 2% - 9% 1.97ms - 6.82ms	-

nop-update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	25.21ms - 25.62ms	-	unsure 🔍 -0% - +2% -0.08ms - +0.40ms	faster ✔ 12% - 14% 3.53ms - 4.25ms
tip-of-tree tip-of-tree	25.13ms - 25.37ms	unsure 🔍 -2% - +0% -0.40ms - +0.08ms	-	faster ✔ 13% - 15% 3.74ms - 4.37ms
previous-release previous-release	29.02ms - 29.60ms	slower ❌ 14% - 17% 3.53ms - 4.25ms	slower ❌ 15% - 17% 3.74ms - 4.37ms	-

lit-html-repeat

• Browser: chrome-headless 96.0.4664.45
• Sample size: 30
• Built by: Benchmarks #2047

• Commit: 69a7470

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	11.44ms - 11.68ms	-	unsure 🔍 -3% - +0% -0.35ms - +0.02ms	faster ✔ 8% - 10% 0.96ms - 1.21ms
tip-of-tree tip-of-tree	11.58ms - 11.87ms	unsure 🔍 -0% - +3% -0.02ms - +0.35ms	-	faster ✔ 6% - 8% 0.77ms - 1.07ms
previous-release previous-release	12.60ms - 12.69ms	slower ❌ 8% - 11% 0.96ms - 1.21ms	slower ❌ 6% - 9% 0.77ms - 1.07ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	282.39ms - 285.90ms	-	unsure 🔍 -1% - +1% -3.13ms - +2.88ms	faster ✔ 28% - 30% 112.15ms - 119.46ms
tip-of-tree tip-of-tree	281.83ms - 286.71ms	unsure 🔍 -1% - +1% -2.88ms - +3.13ms	-	faster ✔ 28% - 30% 111.66ms - 119.71ms
previous-release previous-release	396.75ms - 403.16ms	slower ❌ 39% - 42% 112.15ms - 119.46ms	slower ❌ 39% - 42% 111.66ms - 119.71ms	-

lit-html-template-heavy

• Browser: chrome-headless 96.0.4664.45
• Sample size: 50
• Built by: Benchmarks #2047

• Commit: 69a7470

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	53.31ms - 54.29ms	-	slower ❌ 1% - 3% 0.61ms - 1.78ms	faster ✔ 15% - 18% 9.63ms - 11.47ms
tip-of-tree tip-of-tree	52.28ms - 52.92ms	faster ✔ 1% - 3% 0.61ms - 1.78ms	-	faster ✔ 17% - 19% 10.91ms - 12.58ms
previous-release previous-release	63.57ms - 65.12ms	slower ❌ 18% - 21% 9.63ms - 11.47ms	slower ❌ 21% - 24% 10.91ms - 12.58ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	119.63ms - 121.59ms	-	unsure 🔍 -0% - +2% -0.45ms - +1.94ms	faster ✔ 11% - 13% 14.64ms - 18.51ms
tip-of-tree tip-of-tree	119.18ms - 120.55ms	unsure 🔍 -2% - +0% -1.94ms - +0.45ms	-	faster ✔ 11% - 14% 15.52ms - 19.12ms
previous-release previous-release	135.51ms - 138.85ms	slower ❌ 12% - 15% 14.64ms - 18.51ms	slower ❌ 13% - 16% 15.52ms - 19.12ms	-

reactive-element-list

• Browser: chrome-headless 96.0.4664.45
• Sample size: 50
• Built by: Benchmarks #2047

• Commit: 69a7470

render

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	51.68ms - 52.50ms	-	unsure 🔍 -2% - +1% -0.85ms - +0.45ms	unsure 🔍 -2% - +1% -1.01ms - +0.31ms
tip-of-tree tip-of-tree	51.79ms - 52.80ms	unsure 🔍 -1% - +2% -0.45ms - +0.85ms	-	unsure 🔍 -2% - +1% -0.87ms - +0.57ms
previous-release previous-release	51.93ms - 52.96ms	unsure 🔍 -1% - +2% -0.31ms - +1.01ms	unsure 🔍 -1% - +2% -0.57ms - +0.87ms	-

update

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	644.78ms - 649.54ms	-	unsure 🔍 -1% - +0% -4.55ms - +2.50ms	unsure 🔍 -1% - +0% -3.52ms - +2.79ms
tip-of-tree tip-of-tree	645.59ms - 650.78ms	unsure 🔍 -0% - +1% -2.50ms - +4.55ms	-	unsure 🔍 -0% - +1% -2.66ms - +3.99ms
previous-release previous-release	645.45ms - 649.60ms	unsure 🔍 -0% - +1% -2.79ms - +3.52ms	unsure 🔍 -1% - +0% -3.99ms - +2.66ms	-

update-reflect

Version	Avg time	vs this-change	vs tip-of-tree tip-of-tree	vs previous-release previous-release
this-change	743.81ms - 750.25ms	-	unsure 🔍 -0% - +1% -2.42ms - +6.87ms	unsure 🔍 -0% - +1% -0.96ms - +7.54ms
tip-of-tree tip-of-tree	741.45ms - 748.15ms	unsure 🔍 -1% - +0% -6.87ms - +2.42ms	-	unsure 🔍 -0% - +1% -3.29ms - +5.41ms
previous-release previous-release	740.97ms - 746.51ms	unsure 🔍 -1% - +0% -7.54ms - +0.96ms	unsure 🔍 -1% - +0% -5.41ms - +3.29ms	-

_{tachometer-reporter-action v2 for Benchmarks}

[justinfagnani]

Looks good, but we need a test that an error is thrown for a JSON-produced template result.