Telegram Application
Telegram for Android, Telegram for iOS
Describe the Bug
The class methods viewport.safeAreaInsets() and viewport.contentSafeAreaInsets() do not handle object referencing properly. If a consumer modifies the returned object, it permanently affects the internal state of the instance. Subsequent calls to these methods will return the mutated object.
Technical Analysis:
The issue stems from the Stateful class implementation. Specifically, the computed getter directly returns the result of the state function:
computed(() => this._state()[key])
Since the computed function simply returns fn(), it passes the reference of the internal state object directly to the caller. If the state property is a nested object (like SafeAreaInsets), the caller can modify its properties (e.g., insets.top = 0), which directly mutates the library's internal state.
To Reproduce
Steps to reproduce the behavior:
const safeAreaInsets = viewport.safeAreaInsets()
conole.log(safeAreaInsets.top) // 43
safeAreaInsets.top += 100
conole.log(safeAreaInsets.top) // 143
conole.log(viewport.safeAreaInsets().top) // 143
Expected Behavior
The methods should return a cloned instance or a read-only proxy of the state to prevent external mutation from affecting the library's internal data.
Telegram Application
Telegram for Android, Telegram for iOS
Describe the Bug
The class methods
viewport.safeAreaInsets()andviewport.contentSafeAreaInsets()do not handle object referencing properly. If a consumer modifies the returned object, it permanently affects the internal state of the instance. Subsequent calls to these methods will return the mutated object.Technical Analysis:
The issue stems from the
Statefulclass implementation. Specifically, thecomputedgetter directly returns the result of the state function:computed(() => this._state()[key])Since the
computedfunction simply returnsfn(), it passes the reference of the internal state object directly to the caller. If the state property is a nested object (likeSafeAreaInsets), the caller can modify its properties (e.g.,insets.top = 0), which directly mutates the library's internal state.To Reproduce
Steps to reproduce the behavior:
Expected Behavior
The methods should return a cloned instance or a read-only proxy of the state to prevent external mutation from affecting the library's internal data.