8000 FR: option to disable ArrayLike in collection-functions · Issue #5932 · lodash/lodash · GitHub
[go: up one dir, main page]
Skip to content

FR: option to disable ArrayLike in collection-functions #5932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rejetto opened this issue Oct 16, 2024 · 0 comments
Open

FR: option to disable ArrayLike in collection-functions #5932

rejetto opened this issue Oct 16, 2024 · 0 comments

Comments

@rejetto
Copy link
rejetto commented Oct 16, 2024

First, thanks for your work!
I've been using lodash for a decade and I just discovered that collection-related functions will iterate zero times on {length:0, a:1}.
In your documentation it's stated: collection (Array|Object): The collection to iterate over.
but I can hardly understand Object can be treated as ArrayLike, here.
I believe that most programmers will not expect this behavior, causing a security risk.
What if in a backend environment I validate a serialized object to decide it's safe

if (_.every(unsafeObject, validationFunction))
  riskyBusiness(unsafeObject)

This code will fail to block {name:invalidValue, length:0}.
I know this is by design, but even if the documentation was fixed, I see this as too easy to misinterpret.

Even now that I know, I fear to forget. Can you consider adding an option to disable this behavior?
Something like _.disableArrayLikeForCollections = true that I can put in a single point of my project, and feel safer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rejetto
0