I’m not even sure whether there’s a defense against this when trying to limit the user to a subset of JavaScript. It feels like you need to write a compiler or interpreter that doesn’t know anything outside of that subset otherwise you can break out of the language sandbox.

This article reads like AI and lacks coherence in crucial parts of the attempted “explanation”, specifically:

TypeScript compiler checks the code: ✓ Types match (at compile-time)

Sanitizer logic: Skips execution (wrong type)

But why? Why does it “skip” when there’s logic there? That doesn’t make sense.

If someone passes an object with a length property, this works. If they pass an array, it works.

This later example explains how it can work for some logic. But it doesn’t correlate to the actual exploitation or code in question.

Seems like TypeScript could be generating JavaScript code that does these type checks on function entry - with a runtime cost of course.

Is there no such setting, general or conditional toggle on functions or types?