@prisma-next/emitter 0.3.0-dev.147 → 0.3.0-dev.149
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@prisma-next/emitter",
|
|
3
|
-
"version": "0.3.0-dev.
|
|
3
|
+
"version": "0.3.0-dev.149",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"sideEffects": false,
|
|
6
6
|
"files": [
|
|
@@ -11,18 +11,18 @@
|
|
|
11
11
|
"dependencies": {
|
|
12
12
|
"arktype": "^2.0.0",
|
|
13
13
|
"prettier": "^3.3.3",
|
|
14
|
-
"@prisma-next/framework-components": "0.3.0-dev.
|
|
15
|
-
"@prisma-next/utils": "0.3.0-dev.
|
|
16
|
-
"@prisma-next/
|
|
17
|
-
"@prisma-next/
|
|
14
|
+
"@prisma-next/framework-components": "0.3.0-dev.149",
|
|
15
|
+
"@prisma-next/utils": "0.3.0-dev.149",
|
|
16
|
+
"@prisma-next/contract": "0.3.0-dev.149",
|
|
17
|
+
"@prisma-next/operations": "0.3.0-dev.149"
|
|
18
18
|
},
|
|
19
19
|
"devDependencies": {
|
|
20
20
|
"@types/node": "24.10.4",
|
|
21
21
|
"tsdown": "0.18.4",
|
|
22
22
|
"typescript": "5.9.3",
|
|
23
23
|
"vitest": "4.0.17",
|
|
24
|
-
"@prisma-next/test-utils": "0.0.1",
|
|
25
24
|
"@prisma-next/tsconfig": "0.0.0",
|
|
25
|
+
"@prisma-next/test-utils": "0.0.1",
|
|
26
26
|
"@prisma-next/tsdown": "0.0.0"
|
|
27
27
|
},
|
|
28
28
|
"exports": {
|
|
@@ -74,6 +74,40 @@ describe('serializeValue', () => {
|
|
|
74
74
|
it('returns unknown for unsupported types', () => {
|
|
75
75
|
expect(serializeValue(Symbol('test'))).toBe('unknown');
|
|
76
76
|
});
|
|
77
|
+
|
|
78
|
+
describe('injection safety', () => {
|
|
79
|
+
// Lock the escape behavior so attacker-controlled (or merely weird) strings
|
|
80
|
+
// in a schema.prisma cannot break out of the emitted single-quoted literal
|
|
81
|
+
// and inject arbitrary TypeScript into contract.d.ts.
|
|
82
|
+
|
|
83
|
+
it('escapes a string attempting to terminate the literal', () => {
|
|
84
|
+
const injected = "x'; export let foo = 'bar";
|
|
85
|
+
const serialized = serializeValue(injected);
|
|
86
|
+
expect(serialized).toBe("'x\\'; export let foo = \\'bar'");
|
|
87
|
+
// The serialized form is a single valid string literal: exactly two
|
|
88
|
+
// outer single quotes, and every inner single quote is backslash-escaped.
|
|
89
|
+
expect(serialized.match(/(?<!\\)'/g)?.length).toBe(2);
|
|
90
|
+
});
|
|
91
|
+
|
|
92
|
+
it('escapes backslash-terminated strings (no lookahead break-out)', () => {
|
|
93
|
+
expect(serializeValue('ends with \\')).toBe("'ends with \\\\'");
|
|
94
|
+
expect(serializeValue('double\\\\back')).toBe("'double\\\\\\\\back'");
|
|
95
|
+
});
|
|
96
|
+
|
|
97
|
+
it('passes through control characters and line separators as raw bytes', () => {
|
|
98
|
+
// U+2028/U+2029 are JavaScript line terminators in legacy parsers.
|
|
99
|
+
// The current emitter does not escape them but they cannot break the
|
|
100
|
+
// single-quoted literal since they are not \' or \\. Pin the behavior.
|
|
101
|
+
expect(serializeValue('a\u2028b')).toBe("'a\u2028b'");
|
|
102
|
+
expect(serializeValue('a\u2029b')).toBe("'a\u2029b'");
|
|
103
|
+
expect(serializeValue('a\nb')).toBe("'a\nb'");
|
|
104
|
+
});
|
|
105
|
+
|
|
106
|
+
it('quotes object keys that look like identifier bypass attempts', () => {
|
|
107
|
+
expect(serializeObjectKey("k'; injected: 'v")).toBe("'k\\'; injected: \\'v'");
|
|
108
|
+
expect(serializeObjectKey('')).toBe("''");
|
|
109
|
+
});
|
|
110
|
+
});
|
|
77
111
|
});
|
|
78
112
|
|
|
79
113
|
describe('serializeObjectKey', () => {
|