Lucky should ignore memoized variables in serialized JSON

[jwoertink]

If you have an object that includes JSON::Serializable, and that object also uses memoize in there, Lucky will create an instance variable for that memorized method:

lucky/src/lucky/memoizable.cr

Line 43 in ab0db6a

@__memoized_{{safe_method_name}} : Tuple(

Serializable takes all instances variables and adds them to the whole JSON document. You can sort of see an example here:

require "json"

module Memoizable
  @__memoized_value : String?

  macro memoize(method_def)
    def {{ method_def.name }}
      @__memoized_value ||= {{ method_def.body }}
    end
  end
end


class Server
  include JSON::Serializable
  include Memoizable

  property host : String

  memoize def foo
    "hello"
  end
end

server = Server.from_json(%({"host": "localhost"}))
server.foo
puts server.to_json

Notice that when the server is printed out, the json also includes the memoized value. This is almost certainly unintended data being shipped over.

However, there may come a time where you actually do want to send that value... In that case, we need to make sure to allow for the opt-in

@[JSON::Field]
memoize def foo
  "hello"
end

[jwoertink]

One thing I just thought of... We can easily consider JSON since it's already included in the framework anyway... but what about YAML? That's also included in the framework, so I assume YAML::Serializable works the same... but are there others? What about DB::Serializable? We can't guarantee you're using that, and it may suffer from the same issue. That would have to be one where you manually set an ignore; however, if you ignore it, how do we know to apply to the instance variable, and not the method?

🤔