chore: form state rework (#14771)

We now use `$state` instead of `$state.raw` for the internal representation of `value()/set(...)`. This has several advantages: - we can get rid of the version code which became quite a bit - you can put a `$state` object yourself into `set(...)` and then just push to it, making array operations very easy (closes #14662) - fine-grained without any additional footwork The reason I made this `$state.raw` originally is so that `fields.x.value()` would fire even if something within `x` would update, but honestly that's a bad reason looking back. You _can_ get that behavior by running JSON.stringify on the result, or you just access the properties you care about and it will all take care of it automatically. The one drawback is that prototype pollution prevention became a tiny but trickier, we now have to check for a set of keys. We should consider changing `$state` in Svelte itself to also proxify `Object.create(null)`

Author: dummdidumm

.changeset/young-pans-matter.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: rework internal representation of form value to be `$state`

packages/kit/src/runtime/app/server/remote/form.js

@@ -11,7 +11,7 @@ import {
 deep_set,
 normalize_issue,
 flatten_issues
-} from '../../../form-utils.svelte.js';
+} from '../../../form-utils.js';
 import { get_cache, run_remote_function } from './shared.js';
 
 /**
@@ -215,7 +215,6 @@ export function form(validate_or_fn, maybe_fn) {
 return create_field_proxy(
 {},
 () => data?.input ?? {},
-() => {},
 (path, value) => {
 if (data?.submission) {
 // don't override a submission
@@ -318,7 +317,7 @@ function handle_issues(output, issues, is_remote_request, form_data) {
 
 if (is_array) key = key.slice(0, -2);
 
-output.input = set_nested_value(
+set_nested_value(
 /** @type {Record<string, any>} */ (output.input),
 key,
 is_array ? values : values[0]

packages/kit/src/runtime/client/remote-functions/form.svelte.js

@@ -17,10 +17,9 @@ import {
 deep_set,
 set_nested_value,
 throw_on_old_property_access,
-split_path,
 build_path_string,
 normalize_issue
-} from '../../form-utils.svelte.js';
+} from '../../form-utils.js';
 
 /**
  * Merge client issues into server issues. Server issues are persisted unless
@@ -60,24 +59,9 @@ export function form(id) {
 const action = '?/remote=' + encodeURIComponent(action_id);
 
 /**
- * By making this $state.raw() and creating a new object each time we update it,
- * all consumers along the update chain are properly invalidated.
  * @type {Record<string, string | string[] | File | File[]>}
  */
-let input = $state.raw({});
-
-// TODO 3.0: Remove versions state and related logic; it's a workaround for $derived not updating when created inside $effects
-/**
- * This allows us to update individual fields granularly
- * @type {Record<string, number>}
- */
-const versions = $state({});
-
-/**
- * This ensures that `{field.value()}` is updated even if the version hasn't been initialized
- * @type {Set<string>}
- */
-const version_reads = new Set();
+let input = $state({});
 
 /** @type {InternalRemoteFormIssue[]} */
 let raw_issues = $state.raw([]);
@@ -101,16 +85,6 @@ export function form(id) {
 
 let submitted = false;
 
-function update_all_versions() {
-for (const path of version_reads) {
-versions[path] ??= 0;
-}
-
-for (const key of Object.keys(versions)) {
-versions[key] += 1;
-}
-}
-
 /**
  * @param {FormData} form_data
  * @returns {Record<string, any>}
@@ -235,8 +209,6 @@ export function form(id) {
 if (issues.$) {
 release_overrides(updates);
 } else {
-update_all_versions();
-
 if (form_result.refreshes) {
 refresh_queries(form_result.refreshes, updates);
 } else {
@@ -386,7 +358,7 @@ export function form(id) {
 }
 }
 
-input = set_nested_value(input, name, value);
+set_nested_value(input, name, value);
 } else if (is_file) {
 if (DEV && element.multiple) {
 throw new Error(
@@ -397,7 +369,7 @@ export function form(id) {
 const file = /** @type {HTMLInputElement & { files: FileList }} */ (element).files[0];
 
 if (file) {
-input = set_nested_value(input, name, file);
+set_nested_value(input, name, file);
 } else {
 // Remove the property by setting to undefined and clean up
 const path_parts = name.split(/\.|\[|\]/).filter(Boolean);
@@ -409,7 +381,7 @@ export function form(id) {
 delete current[path_parts[path_parts.length - 1]];
 }
 } else {
-input = set_nested_value(
+set_nested_value(
 input,
 name,
 element.type === 'checkbox' && !element.checked ? null : element.value
@@ -418,17 +390,7 @@ export function form(id) {
 
 name = name.replace(/^[nb]:/, '');
 
-versions[name] ??= 0;
-versions[name] += 1;
-
-const path = split_path(name);
-
-while (path.pop() !== undefined) {
-const name = build_path_string(path);
-
-versions[name] ??= 0;
-versions[name] += 1;
-}
+touched[name] = true;
 });
 
 form.addEventListener('reset', async () => {
@@ -437,7 +399,6 @@ export function form(id) {
 await tick();
 
 input = convert_formdata(new FormData(form));
-update_all_versions();
 });
 
 return () => {
@@ -530,28 +491,14 @@ export function form(id) {
 create_field_proxy(
 {},
 () => input,
-(path) => {
-version_reads.add(path);
-versions[path];
-},
 (path, value) => {
 if (path.length === 0) {
 input = value;
-update_all_versions();
 } else {
-input = deep_set(input, path.map(String), value);
+deep_set(input, path.map(String), value);
 
 const key = build_path_string(path);
-versions[key] ??= 0;
-versions[key] += 1;
 touched[key] = true;
-
-const parent_path = path.slice();
-while (parent_path.pop() !== undefined) {
-const parent_key = build_path_string(parent_path);
-versions[parent_key] ??= 0;
-versions[parent_key] += 1;
-}
 }
 },
 () => issues

packages/kit/src/runtime/form-utils.svelte.js renamed to packages/kit/src/runtime/form-utils.js

@@ -3,12 +3,9 @@
 /** @import { StandardSchemaV1 } from '@standard-schema/spec' */
 
 import { DEV } from 'esm-env';
-import * as svelte from 'svelte';
-// Svelte 4 and under don't have `untrack` - you'll not be able to use remote functions with Svelte 4 but this will still be loaded
-const untrack = svelte.untrack ?? ((value) => value());
 
 /**
- * Sets a value in a nested object using a path string, not mutating the original object but returning a new object
+ * Sets a value in a nested object using a path string, mutating the original object
  * @param {Record<string, any>} object
  * @param {string} path_string
  * @param {any} value
@@ -22,7 +19,7 @@ export function set_nested_value(object, path_string, value) {
 value = value === 'on';
 }
 
-return deep_set(object, split_path(path_string), value);
+deep_set(object, split_path(path_string), value);
 }
 
 /**
@@ -31,7 +28,7 @@ export function set_nested_value(object, path_string, value) {
  */
 export function convert_formdata(data) {
 /** @type {Record<string, any>} */
-let result = Object.create(null); // guard against prototype pollution
+const result = {};
 
 for (let key of data.keys()) {
 if (key.startsWith('sveltekit:')) {
@@ -61,7 +58,7 @@ export function convert_formdata(data) {
 values = values.map((v) => v === 'on');
 }
 
-result = set_nested_value(result, key, is_array ? values : values[0]);
+set_nested_value(result, key, is_array ? values : values[0]);
 }
 
 return result;
@@ -81,18 +78,32 @@ export function split_path(path) {
 }
 
 /**
- * Sets a value in a nested object using an array of keys.
- * Does not mutate the original object; returns a new object.
+ * Check if a property key is dangerous and could lead to prototype pollution
+ * @param {string} key
+ */
+function check_prototype_pollution(key) {
+if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+throw new Error(
+`Invalid key "${key}"` +
+(DEV ? ': This key is not allowed to prevent prototype pollution.' : '')
+);
+}
+}
+
+/**
+ * Sets a value in a nested object using an array of keys, mutating the original object.
  * @param {Record<string, any>} object
  * @param {string[]} keys
  * @param {any} value
  */
 export function deep_set(object, keys, value) {
-const result = Object.assign(Object.create(null), object); // guard against prototype pollution
-let current = result;
+let current = object;
 
 for (let i = 0; i < keys.length - 1; i += 1) {
 const key = keys[i];
+
+check_prototype_pollution(key);
+
 const is_array = /^\d+$/.test(keys[i + 1]);
 const exists = key in current;
 const inner = current[key];
@@ -101,18 +112,16 @@ export function deep_set(object, keys, value) {
 throw new Error(`Invalid array key ${keys[i + 1]}`);
 }
 
-current[key] = is_array
-? exists
-? [...inner]
-: []
-: // guard against prototype pollution
-Object.assign(Object.create(null), inner);
+if (!exists) {
+current[key] = is_array ? [] : {};
+}
 
 current = current[key];
 }
 
-current[keys[keys.length - 1]] = value;
-return result;
+const final_key = keys[keys.length - 1];
+check_prototype_pollution(final_key);
+current[final_key] = value;
 }
 
 /**
@@ -196,18 +205,14 @@ export function deep_get(object, path) {
  * Creates a proxy-based field accessor for form data
  * @param {any} target - Function or empty POJO
  * @param {() => Record<string, any>} get_input - Function to get current input data
- * @param {(path: string) => void} depend - Function to make an effect depend on a specific field
  * @param {(path: (string | number)[], value: any) => void} set_input - Function to set input data
  * @param {() => Record<string, InternalRemoteFormIssue[]>} get_issues - Function to get current issues
  * @param {(string | number)[]} path - Current access path
  * @returns {any} Proxy object with name(), value(), and issues() methods
  */
-export function create_field_proxy(target, get_input, depend, set_input, get_issues, path = []) {
-const path_string = build_path_string(path);
-
+export function create_field_proxy(target, get_input, set_input, get_issues, path = []) {
 const get_value = () => {
-depend(path_string);
-return untrack(() => deep_get(get_input(), path));
+return deep_get(get_input(), path);
 };
 
 return new Proxy(target, {
@@ -216,7 +221,7 @@ export function create_field_proxy(target, get_input, depend, set_input, get_iss
 
 // Handle array access like jobs[0]
 if (/^\d+$/.test(prop)) {
-return create_field_proxy({}, get_input, depend, set_input, get_issues, [
+return create_field_proxy({}, get_input, set_input, get_issues, [
 ...path,
 parseInt(prop, 10)
 ]);
@@ -229,17 +234,11 @@ export function create_field_proxy(target, get_input, depend, set_input, get_iss
 set_input(path, newValue);
 return newValue;
 };
-return create_field_proxy(set_func, get_input, depend, set_input, get_issues, [
-...path,
-prop
-]);
+return create_field_proxy(set_func, get_input, set_input, get_issues, [...path, prop]);
 }
 
 if (prop === 'value') {
-return create_field_proxy(get_value, get_input, depend, set_input, get_issues, [
-...path,
-prop
-]);
+return create_field_proxy(get_value, get_input, set_input, get_issues, [...path, prop]);
 }
 
 if (prop === 'issues' || prop === 'allIssues') {
@@ -259,10 +258,7 @@ export function create_field_proxy(target, get_input, depend, set_input, get_iss
 }));
 };
 
-return create_field_proxy(issues_func, get_input, depend, set_input, get_issues, [
-...path,
-prop
-]);
+return create_field_proxy(issues_func, get_input, set_input, get_issues, [...path, prop]);
 }
 
 if (prop === 'as') {
@@ -411,14 +407,11 @@ export function create_field_proxy(target, get_input, depend, set_input, get_iss
 });
 };
 
-return create_field_proxy(as_func, get_input, depend, set_input, get_issues, [
-...path,
-'as'
-]);
+return create_field_proxy(as_func, get_input, set_input, get_issues, [...path, 'as']);
 }
 
 // Handle property access (nested fields)
-return create_field_proxy({}, get_input, depend, set_input, get_issues, [...path, prop]);
+return create_field_proxy({}, get_input, set_input, get_issues, [...path, prop]);
 }
 });
 }

packages/kit/src/runtime/form-utils.spec.js

@@ -1,5 +1,5 @@
 import { describe, expect, test } from 'vitest';
-import { convert_formdata, split_path } from './form-utils.svelte.js';
+import { convert_formdata, split_path } from './form-utils.js';
 
 describe('split_path', () => {
 const good = [
@@ -73,4 +73,20 @@ describe('convert_formdata', () => {
 }
 });
 });
+
+const pollution_attacks = [
+'__proto__.polluted',
+'constructor.polluted',
+'prototype.polluted',
+'user.__proto__.polluted',
+'user.constructor.polluted'
+];
+
+for (const attack of pollution_attacks) {
+test(`prevents prototype pollution: ${attack}`, () => {
+const data = new FormData();
+data.append(attack, 'bad');
+expect(() => convert_formdata(data)).toThrow(/Invalid key "/);
+});
+}
 });