You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bit of code is a potential maintenance issue:
var str = val.slice(0, val.lastIndexOf('.'))
, mac = exports.sign(str, secret);
We have three variables val, str, mac involved in some important logic and their names are confusing.
val is the incoming untrusted (but probably signed) input, e.g. "iamroot.f5da773d717015ffd4ffa4d0f9a87ed57b30811a", or "iamroot.b629a45f1f6175ddcddfbaac08dd2562" or "will.i.am" or "moe" or "\\"><script>alert('gotcha')</script>" or "" [or in a buggy app 42 or undefined or [Object object]]
str is the value we would like to return, iff it was signed by us, e.g. "iamroot"
mac is what val should be, if strwere signed by us, e.g. "iamroot.f5da773d717015ffd4ffa4d0f9a87ed57b30811a"
Maybe rename these something like:
val → input
str → tentativeResult
mac → originalOutput [???]
Not urgent.
The text was updated successfully, but these errors were encountered:
Like you said though this is not urgent, otherwise I would have created a PR for this myself. I'll let the maintainers decide whether this is beneficial.
Thanks, yeah I like your "expected" terminology since its meaning is pretty clear. No worries about the PR since I don't plan on changing this just for its own sake. Rather, my thinking is to wait until (if…) the code were changing anyway…and so far there's been no reason for other maintenance.
This bit of code is a potential maintenance issue:
We have three variables
val
,str
,mac
involved in some important logic and their names are confusing.val
is the incoming untrusted (but probably signed) input, e.g."iamroot.f5da773d717015ffd4ffa4d0f9a87ed57b30811a"
, or"iamroot.b629a45f1f6175ddcddfbaac08dd2562"
or"will.i.am"
or"moe"
or"\\"><script>alert('gotcha')</script>"
or""
[or in a buggy app42
orundefined
or[Object object]
]str
is the value we would like to return, iff it was signed by us, e.g. "iamroot"mac
is whatval
should be, ifstr
were signed by us, e.g. "iamroot.f5da773d717015ffd4ffa4d0f9a87ed57b30811a"Maybe rename these something like:
Not urgent.
The text was updated successfully, but these errors were encountered: