feat/ Add @mustBeConst lint #46287
Description
Add a lint for dart parameters that allows the analyzer to check if parameters are const.
Sample Use cases
When parameters are compile time constants, it provides the guarantee that the parameters cannot be user supplied. This involves the overall security of our applications, and reduces the need for security and privacy reviews when code can be formally verified to be safe. This lead to the following use cases:
Designing API for SQL methods that are guaranteed against SQL injection
/// Any call to this method cannot suffer from SQL injection, since param1 and /// param2 must be const. If the strings are interpolated strings, the
/// parameters in the interpolated strings should be const as well.
void makeDbCall(@mustBeConst String param1, @mustBeConst String param2) {
db.query("FROM DBLICIOUS SELECT $PARAM1, $PARAM2");
}
Logging libraries can ensure that there is no PII in log messages from prod
/// Any call to this method guarantees that there is no PII since const
/// parameters cannot be user generated.
void logInfoNoPii(
@mustBeConst String logMessage,
@mustBeConst DartObject object,
@mustBeConst Error error
) {
logger.info(...);
}
- Dart SDK Version (
dart --version)
google's internal version
Internal link: b/190345386