prevent apply/call/bind

dummdidumm · dummdidumm · commit aef04e50d1a6 · 2024-02-28T10:13:25.000+01:00
diff --git a/packages/svelte/src/compiler/errors.js b/packages/svelte/src/compiler/errors.js
@@ -91,6 +91,8 @@ const parse = {
 		`A component can have a single top-level <script> element and/or a single top-level <script context="module"> element`,
 	'invalid-render-expression': () => '{@render ...} tags can only contain call expressions',
 	'invalid-render-arguments': () => 'expected at most one argument',
+	'invalid-render-call': () =>
+		'Calling a snippet function using apply, bind or call is not allowed',
 	'invalid-render-spread-argument': () => 'cannot use spread arguments in {@render ...} tags',
 	'invalid-snippet-rest-parameter': () =>
 		'snippets do not support rest parameters; use an array instead'
diff --git a/packages/svelte/src/compiler/phases/2-analyze/validation.js b/packages/svelte/src/compiler/phases/2-analyze/validation.js
@@ -4,7 +4,8 @@ import {
 	get_parent,
 	is_expression_attribute,
 	is_text_attribute,
-	object
+	object,
+	unwrap_optional
 } from '../../utils/ast.js';
 import { warn } from '../../warnings.js';
 import fuzzymatch from '../1-parse/utils/fuzzymatch.js';
@@ -604,16 +605,22 @@ const validation = {
 		});
 	},
 	RenderTag(node, context) {
-		const raw_args =
-			node.expression.type === 'CallExpression'
-				? node.expression.arguments
-				: node.expression.expression.arguments;
+		const raw_args = unwrap_optional(node.expression).arguments;
 		for (const arg of raw_args) {
 			if (arg.type === 'SpreadElement') {
 				error(arg, 'invalid-render-spread-argument');
 			}
 		}
 
+		const callee = unwrap_optional(node.expression).callee;
+		if (
+			callee.type === 'MemberExpression' &&
+			callee.property.type === 'Identifier' &&
+			['bind', 'apply', 'call'].includes(callee.property.name)
+		) {
+			error(node, 'invalid-render-call');
+		}
+
 		const is_inside_textarea = context.path.find((n) => {
 			return (
 				n.type === 'SvelteElement' &&
diff --git a/packages/svelte/src/compiler/phases/3-transform/client/visitors/template.js b/packages/svelte/src/compiler/phases/3-transform/client/visitors/template.js
@@ -3,7 +3,8 @@ import {
 	extract_paths,
 	is_event_attribute,
 	is_text_attribute,
-	object
+	object,
+	unwrap_optional
 } from '../../../../utils/ast.js';
 import { binding_properties } from '../../../bindings.js';
 import {
@@ -1864,14 +1865,8 @@ export const template_visitors = {
 	},
 	RenderTag(node, context) {
 		context.state.template.push('<!>');
-		const callee =
-			node.expression.type === 'CallExpression'
-				? node.expression.callee
-				: node.expression.expression.callee;
-		const raw_args =
-			node.expression.type === 'CallExpression'
-				? node.expression.arguments
-				: node.expression.expression.arguments;
+		const callee = unwrap_optional(node.expression).callee;
+		const raw_args = unwrap_optional(node.expression).arguments;
 		const is_reactive =
 			callee.type !== 'Identifier' || context.state.scope.get(callee.name)?.kind !== 'normal';
 
diff --git a/packages/svelte/src/compiler/phases/3-transform/server/transform-server.js b/packages/svelte/src/compiler/phases/3-transform/server/transform-server.js
@@ -1,6 +1,11 @@
 import { walk } from 'zimmerframe';
 import { set_scope, get_rune } from '../../scope.js';
-import { extract_identifiers, extract_paths, is_event_attribute } from '../../../utils/ast.js';
+import {
+	extract_identifiers,
+	extract_paths,
+	is_event_attribute,
+	unwrap_optional
+} from '../../../utils/ast.js';
 import * as b from '../../../utils/builders.js';
 import is_reference from 'is-reference';
 import {
@@ -1141,14 +1146,8 @@ const template_visitors = {
 		state.init.push(anchor);
 		state.template.push(t_expression(anchor_id));
 
-		const callee =
-			node.expression.type === 'CallExpression'
-				? node.expression.callee
-				: node.expression.expression.callee;
-		const raw_args =
-			node.expression.type === 'CallExpression'
-				? node.expression.arguments
-				: node.expression.expression.arguments;
+		const callee = unwrap_optional(node.expression).callee;
+		const raw_args = unwrap_optional(node.expression).arguments;
 
 		const expression = /** @type {import('estree').Expression} */ (context.visit(callee));
 		const snippet_function = state.options.dev
diff --git a/packages/svelte/src/compiler/utils/ast.js b/packages/svelte/src/compiler/utils/ast.js
@@ -361,3 +361,12 @@ export function is_simple_expression(node) {
 
 	return false;
 }
+
+/**
+ * @template {import('estree').SimpleCallExpression | import('estree').MemberExpression} T
+ * @param {import('estree').ChainExpression & { expression : T } | T} node
+ * @returns {T}
+ */
+export function unwrap_optional(node) {
+	return node.type === 'ChainExpression' ? node.expression : node;
+}
diff --git a/packages/svelte/tests/compiler-errors/samples/render-tag-invalid-call/_config.js b/packages/svelte/tests/compiler-errors/samples/render-tag-invalid-call/_config.js
@@ -0,0 +1,8 @@
+import { test } from '../../test';
+
+export default test({
+	error: {
+		code: 'invalid-render-call',
+		message: 'Calling a snippet function using apply, bind or call is not allowed'
+	}
+});
diff --git a/packages/svelte/tests/compiler-errors/samples/render-tag-invalid-call/main.svelte b/packages/svelte/tests/compiler-errors/samples/render-tag-invalid-call/main.svelte
@@ -0,0 +1 @@
+{@render snippet.apply(null, [1, 2, 3])}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{@render snippet.apply(null, [1, 2, 3])}`