StringTemplates deferred evaluation
Remi Forax
forax at univ-mlv.fr
Mon Mar 18 08:52:42 UTC 2024
----- Original Message -----
> From: "Jim Laskey" <james.laskey at oracle.com>
> To: "Justin Spindler" <justin.spindler at gmail.com>
> Cc: "amber-dev" <amber-dev at openjdk.org>
> Sent: Sunday, March 17, 2024 6:28:07 PM
> Subject: Re: StringTemplates deferred evaluation
> There was a discussion about this on this list a while back. The issue is that
> deferred evaluation could provide a gapping vulnerability.
>
> You can get the effect you want by using Suppler objects as embedded
> expressions. I posted a logging example using a timestamp Supplier. The Suppler
> was evaluated by the processor.
>
> In the new world we are working on, the same thing can done. The plan is to
> provide a mapValues method as in st.mapValues(v -> v instanceof Supplier S ?
> S.get() : v).
Hello Jim,
I think i would prefer the method interpolate to take a Function<Object, String> instead of having a method mapValues, to force users to think about escaping at least the values even if users can still use st.interpolate(String::valueOf).
>
> — Jim
>
> 📱
regards,
Rémi
>
>> On Mar 17, 2024, at 12:14 PM, Justin Spindler <justin.spindler at gmail.com> wrote:
>>
>>
>> I was toying around with the second preview of StringTemplates and I had a
>> question regarding their design. I was wondering if it had been considered for
>> the embedded expressions to be evaluated lazily?
>>
>> One of the first use cases that came to mind when I was exploring
>> StringTemplates is logging. That is an extremely common case where we want to
>> produce a form of interpolated value, and the current syntax generally has the
>> same concerns that a formatted string would, in that the inputs are removed
>> from where they are defined within the message format. However, if the log
>> message is below the log level threshold you generally don't want to incur the
>> cost of building the message, including evaluating those embedded expressions.
>> Log libraries typically offer a mechanism to defer evaluation via Suppliers,
>> but that feels like it would be a challenge to use within StringTemplate.
>>
>> C# is an example of a language that offers this functionality via
>> FormattableString, which gives a method the ability to choose whether or not to
>> interpret the template or evaluate the expressions. That allows logging below
>> threshold to be more or less a no-op.
>>
More information about the amber-dev
mailing list