StringTemplates deferred evaluation

[Jim Laskey]

There was a discussion about this on this list a while back. The issue is that deferred evaluation could provide a gapping vulnerability.

You can get the effect you want by using Suppler objects as embedded expressions. I posted a logging example using a timestamp Supplier. The Suppler was evaluated by the processor. 

In the new world we are working on, the same thing can done. The plan is to provide a mapValues method as in st.mapValues(v -> v instanceof Supplier S ? S.get() : v). 

— Jim

📱

> On Mar 17, 2024, at 12:14 PM, Justin Spindler <justin.spindler at gmail.com> wrote:
> 
> 
> I was toying around with the second preview of StringTemplates and I had a question regarding their design.  I was wondering if it had been considered for the embedded expressions to be evaluated lazily?
> 
> One of the first use cases that came to mind when I was exploring StringTemplates is logging.  That is an extremely common case where we want to produce a form of interpolated value, and the current syntax generally has the same concerns that a formatted string would, in that the inputs are removed from where they are defined within the message format.  However, if the log message is below the log level threshold you generally don't want to incur the cost of building the message, including evaluating those embedded expressions.  Log libraries typically offer a mechanism to defer evaluation via Suppliers, but that feels like it would be a challenge to use within StringTemplate.
> 
> C# is an example of a language that offers this functionality via FormattableString, which gives a method the ability to choose whether or not to interpret the template or evaluate the expressions.  That allows logging below threshold to be more or less a no-op.
> 
>