Pre-compute all paths to functions in the provided exposedMethods object

[chriscalo]

Use Object.keys() to navigate all possible paths that point to a function.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/keys

[chriscalo]

To accomplish this we might need the following functions:

function isPrimitiveOrBoxed(value) {}
function isCallable(value) {}
function getEntries(value) {}

• function isPrimitiveOrBoxed(value) {}
• function isCallable(value) {}
• function getNonNativeEntries(value) {}

Once these work they could be assembled something like the following:

function* deepEntries(value) {
  if (isPrimitiveOrBoxed(value)) {
    return;
  }
  
  if (isCallable(value)) {
    // register path to callable
    yield { path: [], callable: value };
  }
  
  for (const [k, v] of getNonNativeEntries(value)) {
    for (const { path, callable } of deepEntries(v)) {
      yield { path: [k, ...path], callable };
    }
  }
}

• start at the root value
• ignore primitive and boxed primitive values
  • if value is nullish (null or undefined) => ignore and exit
  • if value is a boxed primitive => ignore and exit
  • if value is a primitive => ignore and exit
• if value is a function:
  • if value is a class, it's constructible but not callable, so don't allow calling it, but consider it for digging into its keys
  • otherwise, make it available for calling
• get all keys and recurse into each value
  • if value has keys (including objects, functions, etc), enumerate them
    • construct the prototype chain for the value
    • exclude any built-in prototype objects (Object.prototype, Array.prototype, Function.prototype, etc)
    • get all key–value pairs, considering that keys higher in the prototype chain shadow everything lower
  • recurse into each value and repeat this algorithm

Libraries for getting the prototype chain:

• https://www.npmjs.com/package/protochain
• https://www.npmjs.com/package/class-chain

[chriscalo]

Tests:

• must work for plain objects: { foo() {} }
• must work for nested objects: { foo: { bar() {} } }
• must work for class instance methods: new class { foo() {} }
• must work for static class methods: class { static foo() {} }
• must not expose methods of built-ins like String, Array, Object
  • examples include constructor(), toString(), etc
• must not expose non-callables (class functions or non-functions)

[chriscalo]

This is proving to be quite a heavy lift.

Instead, it might make sense to keep the logic the same as today, but layer in:

• with each property access:
• don't allow navigating to a primitive or boxed primitive
• only allow calling callables (not just any function)
• don't allow navigating to native / built-in prototypes

[chriscalo]

Maybe the simplest method is:

• for each property access:
• compute the prototype chain for the value whose properties are being accessed
• check each value in the prototype chain for the property being accessed
• if it's from a native prototype object, disallow access to the property
• then retrieve the value for the property
• disqualify the value if it's a primitive, boxed primitive, constructable, etc
• at this point the value should either be a callable or an object
• of we are trying to invoke it, ensure it's a callable first
• otherwise, proceed with deeper property access