0

I am creating a web application which parses URLS for route parameters for client look ups.

Example: www.example.com#userId=5

Ignore security loop holes on that.

I noticed that when navigating to the page, it would call: onRouteParams(Map params) in PolymerDart. This would have the list of parameters. I would then say something like:

int id = params.containsKey("userId") ? params["userId"] : -1;

It would assign it to there. I then attempted to print out the variables

#userId=5
userId: 5, Type: int
id: 5, idType: int

and I changed the passed in parameter to be hodor

#userId=hodor
userId: hodor, Type: String
id: hodor, idType: String

This issue I had noticed, creates an issue because you are going to carry out code related to it being an int, but done on a string. So the converted javascript is going to not be solid at all.

In Dartium the issue is caught:

VM367:1 EXCEPTION: NoSuchMethodError: Class 'String' has no instance method '<='.
Receiver: "hodor"
Tried calling: <=(0)

So this makes me curious if I am doing something wrong.

When dealing with the build as per the documents it will handle Self->Self understanding. But when dealing with URLs this is something that is outside of the scope.

So if we are reliant on something public, such as URL params, will that function onRouteParams or other have to be designed more so like this?

onRouteParams(Map params){
    int id = params.containsKey("userId") ? params["userId"] : -1;
    if( ! id is int ){
       #error in logic because type of id was overridden to string
    }

    if (id == -1){
        #user id not in params, follow perscribed workflow.
    }
}

A base fundamental of logic would say the parameters of a function are validated. Here it isnt really the case because it is valid, it is a MAP. The issue that i was curious about is that when you do assignment, it should validate that it is what it is suppose to be.

Something like:

int id = params["id"];

should be parsed to javascript as: (like this polyfill: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isInteger)

if (Number.isInteger(params["id"]){
    var id = params["id"];
}else{
    throw new TypeError("not castable string attempting to cast to int");
}

or similar.

This is an error i have run into which upon going back on happens all throughout application code and could be an issue throughout other peoples applications unknowning.

If you have to ask "Why would someone accidently put foo into the url param" the logic reasoning is that if they want to save the URL and paste it somewhere else, they might accidently tap the v one too many times, so the last parameter would be: www.example.com#userId=5vwhich would instantly cast userId to a string and causing this kind of issue to happen.

I was looking into strong mode, and how it builds the application for dart2js, how routed parameters are defined, etc. Seems that this issue isn't really addressed.

All of the tags are relevant because maybe there is some aspect I am missing that someone else has figured out. It definitely seems like a dart typing issue which came to light due to routing.

Fallenreaper
  • 10,222
  • 12
  • 66
  • 129
  • Not sure what the problem is. Values from the URL are always strings and never ints, except when you convert them. – Günter Zöchbauer May 10 '17 at 19:55
  • that's what i thought too. Seemed like it converted them into ints. So the parameter was an int, was assigned to an int. URL is a string, but somewhere it seems to parse it to an int. Then the parameter was a proper string it kept it as a string, despite being assigned to an int. I was thinking a type error would happen. im not sure why or how the parameters are getting set to types. I too thought that it should be all strings, but when i saw cases of ints being printed, it felt like there was auto casting – Fallenreaper May 10 '17 at 21:03
  • There should never be auto-casting in Dart (except between `int` and `double` in the browser). Perhaps because calling out to JS but I don't know what above code does. Polymer is mostly about calling JS. – Günter Zöchbauer May 11 '17 at 03:16
  • You're certainly right there. I was looking at it on a deeper level, following this route params up the chain. At first, I had made the mistake that `onRouteParams` was a PolymerElement function I could leverage, which was wrong. It was created by a lateral framework team. Following it up the chain though to higher components I see it as just a passed map. You are certainly right, so this concept of route params, needs to be parsed by type too. Not saying that the question is wrong either, variables should validate their types more instead of casting to something else behind the scenes. – Fallenreaper May 11 '17 at 13:51
  • But Dart doesn't do any casting behind the scenes at all. I'm not sure from your last comment if JS is involved or not, but if you get Data from JS to Dart and it doesn't have the expected type then it will probably cause troubles in Dart. – Günter Zöchbauer May 11 '17 at 14:07
  • mmm. i guess the Types are really just for development purposes to make sure things line up but when running mean nothing. – Fallenreaper May 11 '17 at 21:04
  • 1
    During development checked mode is used, in production typers are not checkrd. This will change in Dart 2.0 AFAIK. – Günter Zöchbauer May 12 '17 at 02:55
  • In Dart 2.0 it will be named strong mode which is already supported in the analyzer but not at runtime (at least not fully). – Günter Zöchbauer May 12 '17 at 07:15

0 Answers0