#Access Record<string,string> with square brackets [] safely

Trying to access a record with brackets

export interface RecordValue {
    value: string
}

export const TestRecords: Record<string, RecordValue> = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (string: string): void => {
// eslint-disable-next-line no-unused-expressions
    TestRecords[string].value
}

How to I do this without disabling eslint-disable-next-line no-unused-expressions

Access Record<string,string> with square brackets [] safely

by using it

you're getting that value out, you just aren't doing anything with the result. this isn't related to safety

It works but I don't want to have to disable the linter rule

you don't have to disable it

just use that expression

The problem with Record<string, T> is you're saying it can have any string key. This means the compiler will allow TestRecords["foo"] even tho foo is not a key in TestRecords

If you want to access it safely, either don't declare it as a Record, or declare the keys explicitly,

// example 1
export const TestRecords = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (key: keyof typeof TestRecords): string => {
    return TestRecords[key].value
}

// example 2
type TestRecordKeys = "Test0" | "Test1" | "Test2";
export const TestRecords: Record<TestRecordKeys, RecordValue> = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (key: TestRecordKeys): string => {
    return TestRecords[key].value
}

@eager lotus You can turn on noUncheckedIndexedAccess and it fixes that issue without needing to avoid Record.

Sometimes you really do want Record<string, Type> because you don't have a known list of keys, unlike both of your examples.

Thanks. Work in company of one and never done either javascript or typescript so been challenging. We'll doing it right.

have you done other languages before?

Lots, rust, c++, cobol, assembley, java, c#... Someone put this warning in the linter with forethought one would hope and reading the explanation made sence, so want to fix properly. Again thanks, I believe twice now for me, for answering.

Hi, Tried the suggestion and still getting error

export const TestRecords: Record<string, RecordValue> = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (test: keyof typeof BRATPages): void => {
    const a = TestRecords[test].value
}

And with approach 2

type TestRecordKeys = 'Test0' | 'Test1' | 'Test2'

export const TestRecords: Record<TestRecordKeys, RecordValue> = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (test: TestRecordKeys): void => {
    const a = TestRecords[test].value
}

Not familiar with whatever lint rule that is, you might need to look at theird coumentation for why they think that's a problem

I think it basically says no [] without constructor so for numbers you can do Number(myKey), for String you can do String(myKey). Just not sure how to do a keyof

i don't think that's relevant

https://github.com/eslint-community/eslint-plugin-security/blob/main/docs/rules/detect-object-injection.md

no [] without constructor
this doesn't really make sense

Yeah, this seems pretty odd.

wow, security is paranoid as hell. this is the second rule ive seen people ask about and it's just.. nonsensical for most people

Well is the thing was a number you could do

const a = TestRecords[Number(test)].value

no, this is irrelevant.

that rule just says, no dynamic property access.

JS already coerces object lookups to strings, so wrapping it in String(test) wouldn't do anything anyway.

yes. IT english not great but basically yes

No, didnt't write the rules, just been asked to follow them

well, unless it was a symbol...

[technicallycorrect.gif]

who's telling you to use these rules? didn't you say you were in a company of 1

They hired someone for the code review Sigh!

Been running a year

i mustve misunderstood that earlier comment then

No third-party

just me, on my lonesome

...so are you working alone or not?

Looks fine here https://www.typescriptlang.org/play/?#code/PTAEFMA8EMFsAcA25QEYBQBvdpQGMB7AOwGcAXUAFXHICVxCAnAExNAF5RtddryAGAFxdQAN2iIAruGEByPmQBqE6f1mgAvgBocPBamGYxKmaHk0lJ1Ou27eFgEyHjU0+fLLXDmztwb0uoSkFABmBAQcoAAUANbgAJ7CcfEEIaBk8fDgqVQW9EysAJTC5IwAlkQA5hwAfFx2oIzgZJKMRLl0DAQsJADayQC6AHTirrr+-uggEDAIyKAOWLoZWaD53cye0pFGo9IlZOVVmsuZKArrLADSCWycAEQK-PegAD6gjxaoL++f5A73ADcgWI5A6ZEurGEkIAPBcutdblo1gjNiY6pxuHoLEIRHs3AotuA1JpfNjyAY8SY5ISrD4GgonFTXDSLETvKTxgFcEEwWEIpxYglhPCCjd4iRiqBShVquw6lieI1mq12qKNn1BiMTFyNEA

@eager lotus Here's a shortened URL of your playground link! You can remove the full link from your message.

Well, if you must follow this lint rule, I'm think the only fix here is:

type TestRecordKeys = "Test0" | "Test1" | "Test2";
export const TestRecords: Record<TestRecordKeys, RecordValue> = {
    Test0: { value: 'TestValue0' },
    Test1: { value: 'TestValue1' },
    Test2: { value: 'TestValue2' },
}

const foo = (key: TestRecordKeys): string => {
    if(key === "Test0") return TestRecords.Test0;
    if(key === "Test1") return TestRecords.Test1;
    if(key === "Test2") return TestRecords.Test2;
    let _: never = key; // Check that you've handled all the cases
    throw new Error("Missed one");
}

Yes alone. They had a third-party review

switch and never?

Or switch, yeah, if you prefer that syntax.

you can also use key satisfies never

As my skills get better 🙂

if you're just practicing/learning, you should probably disable security altogether

that's for application/production level stuff

ts itself and eslint & ts-eslint will be fine

Honestly... wouldn't turn this one on even for production

My humble view, is behind a VPN, Azure and OAuth 2.0 and running in a container with no external access, I think they are pretty safe

it's not for that aspect

oh wait you're the guy that asked about detect-unsafe-regex too!

Indeed

Perhaps you can see my world!

@lone oxide check out #1259756019928793191 message lol. a linear regex being flagged

They should make a song

just disable security lmao. it's just slowing your progress with unimportant warnings

Can't have security issues if you can't write code at all.

They problem is a bigger one. I have no reverant power as I am new to typescript. And they just hear, security, turn off with literally no knowledge of IT at all.

this is even in their readme

This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
emphasis mine

it flags equality operators jesus

and dynamic imports???

I will give it some blarney and hope

I think you would need to be quite advanced to provide feedback about rules to discard them. Most are obvious and make sense

you'd need to be quite advanced to justify/reason with these rules tbh

Thanks, slowly feeling better 🙂

like i said before, these rules are really paranoid. and they're mostly for guarding against malicious user input or source manipulation, which tbh for the latter you have bigger problems

your original code for types and access was fine tbh. the different types proposed aren't better, they're just for different situations.

Thanks again will disable with comment.