evasive-transform: evade hashbangs

[boneskull]

Node.js has a carve-out for hashbangs/shebangs at the top of an executable file. This is not valid JS syntax, and as such, SES does not approve.

In @lavamoat/node I had to evade this, but it may be applicable to @endo/evasive-transform at some point.

Example transform (naive):

/**
 * Hashbangs seem to offend SES.
 *
 * @param {string} source
 * @returns {string}
 */
const decapitateHashbang = (source) => {
  // careful with the source map
  return source.replace(/^#!(.+?)(?=\r?\n)/, '// $1')
}

This replaces the #! with //, essentially. It could be rewritten without a RegExp, assuming that hashbangs must always be #!/path/to/some/executable [args] at position 0 in a file. I don't know if that's true, so, either I will need to do my own research or someone can drop science here. I don't know if [args] is actually just [arg], either.

I do know that Node.js will allow hashbangs in files that are not the "main" module; you can require() such a file.

[mhofman]

This is not valid JS syntax, and as such, SES does not approve.

Actually this is now allowed JS syntax, and considered to be a comment: https://github.com/tc39/proposal-hashbang when at the start of a script or module file.

As such it should be allowed in eval as well, but not in new Function

[boneskull]

I thought I recalled something like that! Does this mean, then, that we just need to add support for it in ses or module-source or..?

[mhofman]

I think it's makes more sense to to do an evasive transform like you have, transforming from #! to // in the limited cases where allowed (which I believe is beginning of source text). I would like to avoid different evaluators for Function and eval, which we'd otherwise require if we were to allow it in SES itself.

@erights @kriskowal thoughts?