@sap/cds-compiler 6.4.2 → 6.5.0

package/lib/api/options.js

@@ -1,5 +1,9 @@
 'use strict';
 
+// The options are specified in ../optionProcessor.js (and some other files).
+// Some backends feel the need to "translate" option, which require to list
+// all options also here (as “public" or "private" option).
+
 const { validate, generateStringValidator } = require('./validate');
 const { makeMessageFunction } = require('../base/messages');
 
@@ -20,6 +24,7 @@ const publicOptionsNewAPI = [
   'defaultBinaryLength',
   'defaultStringLength',
   'csnFlavor',
+  'noDollarCalc',
   // DB
   'sqlDialect',
   'sqlMapping',

package/lib/api/validate.js

@@ -1,5 +1,8 @@
 'use strict';
 
+// The options are specified in ../optionProcessor.js (and some other files).
+// Options with non-boolean values must also be listed in this file.
+
 const { forEach } = require('../utils/objectUtils');
 
 /* eslint-disable arrow-body-style */

package/lib/base/message-registry.js

@@ -92,9 +92,16 @@ const centralMessages = {
   'ext-undefined-action':  { severity: 'Warning' },
   'ext-undefined-art':     { severity: 'Warning' }, // for annotate statement (for CDL path root)
   'ext-undefined-def':     { severity: 'Warning' }, // for annotate statement (for CSN or CDL path cont)
+  'ext-undefined-art-sec': { severity: 'Error', configurableFor: true }, // for security-relevant…
+  'ext-undefined-def-sec': { severity: 'Error', configurableFor: true }, // … annotate statement
   'ext-undefined-element': { severity: 'Warning' },
   'ext-undefined-key':     { severity: 'Warning' },
   'ext-undefined-param':   { severity: 'Warning' },
+  'ext-undefined-element-sec': { severity: 'Error', configurableFor: true }, // for security-relevant…
+  'ext-undefined-action-sec': { severity: 'Error', configurableFor: true }, // for security-relevant…
+  'ext-undefined-param-sec': { severity: 'Error', configurableFor: true }, // … annotate statement
+  'ext-unexpected-returns': { severity: 'Warning' },
+  'ext-unexpected-returns-sec': { severity: 'Error', configurableFor: true }, // … annotate statement
   'anno-unexpected-ellipsis': { severity: 'Error', configurableFor: 'deprecated' },
   'anno-unexpected-localized-skip': { severity: 'Error', configurableFor: true },
 
@@ -707,8 +714,8 @@ const centralMessageTexts = {
     on: 'Unexpected $(ID) reference; is valid only if compared to be equal to an association of the target side',
     subQuery: 'Unexpected $(ID) reference in a sub query',
     setQuery: 'Unexpected $(ID) reference in a query on the right side of $(OP)',
-    exists: 'With $(NAME), path steps must not start with $(ID)',
-    'exists-filter': 'Unexpected $(ID) reference in filter of path $(ELEMREF) following “EXISTS” predicate',
+    exists: 'Paths following $(NAME) must not start with $(ID)',
+    'exists-filter': 'Unexpected $(ID) reference in filter of assoc $(ELEMREF) following “EXISTS” predicate',
   },
   'ref-unexpected-map': {
     std: 'Unexpected reference to an element of type $(TYPE)', // unused
@@ -948,6 +955,8 @@ const centralMessageTexts = {
   'anno-builtin': 'Builtin types should not be annotated nor extended. Use custom type instead',
   'ext-undefined-def': 'Artifact $(ART) has not been found',
   'ext-undefined-art': 'No artifact has been found with name $(ART)',
+  'ext-undefined-def-sec': 'Artifact $(ART) has not been found',
+  'ext-undefined-art-sec': 'No artifact has been found with name $(ART)',
   'ext-undefined-element': {
     std: 'Element $(NAME) has not been found',
     element: 'Artifact $(ART) has no element $(NAME)',
@@ -955,15 +964,24 @@ const centralMessageTexts = {
     returns: 'Return value of $(ART) has no element $(NAME)',
     'enum-returns': 'Return value of $(ART) has no enum $(NAME)',
   },
+  'ext-undefined-element-sec': 'Element $(NAME) has not been found',
   'ext-undefined-key': 'Foreign key $(NAME) has not been found',
   'ext-undefined-action': {
     std: 'Action $(ART) has not been found',
     action: 'Artifact $(ART) has no action $(NAME)',
   },
+  'ext-undefined-action-sec': {
+    std: 'Action $(ART) has not been found',
+    action: 'Artifact $(ART) has no action $(NAME)',
+  },
   'ext-undefined-param': {
     std: 'Parameter $(ART) has not been found',
     param: 'Artifact $(ART) has no parameter $(NAME)',
   },
+  'ext-undefined-param-sec': {
+    std: 'Parameter $(ART) has not been found',
+    param: 'Artifact $(ART) has no parameter $(NAME)',
+  },
 
   // annotation checks against their definition
   'anno-expecting-value': {
@@ -1157,6 +1175,11 @@ const centralMessageTexts = {
     redirected: 'Target $(TARGET) of $(NAME) is missing element $(ID); add an ON-condition to $(KEYWORD)',
   },
   'query-unexpected-assoc-hdbcds': 'Publishing a managed association in a view is not possible for “hdbcds” naming mode',    // eslint-disable-line cds-compiler/message-no-quotes
+  'query-unexpected-exists': {
+    std: 'Unexpected $(PROP) predicate',
+    groupBy: 'Unexpected $(PROP) predicate in GROUP BY clause',
+    orderBy: 'Unexpected $(PROP) predicate in ORDER BY clause',
+  },
   'query-unexpected-structure-hdbcds': 'Publishing a structured element in a view is not possible for “hdbcds” naming mode', // eslint-disable-line cds-compiler/message-no-quotes
   'query-ignoring-param-nullability': {
     std: 'Ignoring nullability constraint on parameter when generating SAP HANA CDS view',

package/lib/base/messages.js

@@ -1724,7 +1724,7 @@ function constructSemanticLocationFromCsnPath( model, options, csnPath ) {
     else if (step === 'targetAspect') {
       // skip
     }
-    else if (step === 'xpr' || step === 'list' || step === 'default' || step === 'ref' || step === 'as' || step === 'value') {
+    else if (step === 'xpr' || step === 'list' || step === 'default' || step === 'ref' || step === 'as' || step === 'value' || step === '$calc') {
       break; // don't go into xprs, refs, aliases, values, etc.
     }
     else if (step === 'returns') {

package/lib/base/model.js

@@ -7,6 +7,9 @@
 
 const { forEach } = require('../utils/objectUtils');
 
+// Normal options are in ../optionProcessor.js (and some other files),
+// unfortunately partly non-grep-able (option `fooBar` is defined via `--foo-bar`)
+
 /**
  * Object of all available beta flags that will be enabled/disabled by `--beta-mode`
  * through cdsc.  Only intended for INTERNAL USE.
@@ -29,8 +32,6 @@ const availableBetaFlags = {
   rewriteAnnotationExpressionsViaType: true,
   sqlServiceDummies: true,
   projectionViews: true,
-  draftAdminDataHiddenFilter: true,
-  $calcForDraft: true,
   // disabled by --beta-mode
   nestedServices: false,
 };

package/lib/checks/actionsFunctions.js

@@ -25,8 +25,9 @@ function checkActionOrFunction( art, artName, prop, path ) {
     for (const [ actName, act ] of Object.entries(art.actions)) {
       if (act.params) {
         checkExplicitBindingParameter.call(this, act.params, path.concat([ 'actions', actName, 'params' ]));
-        for (const [ paramName, param ] of Object.entries(act.params))
-          checkActionOrFunctionParameter.call(this, param, path.concat([ 'actions', actName, 'params', paramName ]), act.kind);
+        const params = Object.entries(act.params);
+        for (const [ paramName, param ] of params)
+          checkActionOrFunctionParameter.call(this, param, path.concat([ 'actions', actName, 'params', paramName ]), act.kind, params);
       }
       if (act.returns)
         checkReturns.bind(this)(act.returns, path.concat([ 'actions', actName, 'returns' ]), act.kind);
@@ -63,7 +64,9 @@ function checkActionOrFunction( art, artName, prop, path ) {
    * @param {CSN.Path} currPath path to the parameter
    * @param {string} actKind 'action' or 'function'
    */
-  function checkActionOrFunctionParameter( param, currPath, actKind ) {
+  function checkActionOrFunctionParameter( param, currPath, actKind, params ) {
+    if ((param.items || param)?.type === '$self' && param === params?.[0][1])
+      return;                   // binding parameter
     const paramType = param.type ? this.csnUtils.getFinalTypeInfo(param.type) : param;
     if (!paramType)
       return; // no type could be resolved

package/lib/checks/existsExpressionsOnlyForeignKeys.js

@@ -3,39 +3,45 @@
 const { requireForeignKeyAccess } = require('../checks/onConditions');
 
 /**
- * Check that associations in filters (in an exists expression) are only fk-accesses. Everything else is forbidden.
+ * Filter expressions in an exists path must:
+ * - only contain fk-accesses for assocs. Unmanaged traversal / non-fk access is forbidden.
+ * - not contain a ref starting with $self
  *
  * @param {CSN.Artifact} parent
  * @param {string} name
  * @param {Array} expr
  */
-function forbidAssocInExists( parent, name, expr ) {
+function assertFilterOfExists( parent, name, expr ) {
   for (let i = 0; i < expr.length - 1; i++) {
     if (expr[i] === 'exists' && expr[i + 1].ref) {
       i++;
       const current = expr[i];
 
-      const { _links } = expr[i];
+      const { _links } = current;
 
       const assocs = _links.filter(link => link.art?.target).map(link => current.ref[link.idx]);
 
-      checkForInvalidAssoc.call(this, assocs);
+      ensureValidFilters.call(this, assocs);
     }
   }
 }
 
 /**
- * Check that associations in filters (in an exists expression) are only fk-accesses. Everything else is forbidden.
+ * Reject:
+ * - Unmanaged traversal / non-fk access.
+ * - ref's starting with $self
  *
  * @param {object[]} assocs Array of refs of assocs - possibly with a .where to check
  */
-function checkForInvalidAssoc( assocs ) {
+function ensureValidFilters( assocs ) {
   for (const assoc of assocs) {
     if (assoc.where) {
       for (let i = 0; i < assoc.where.length; i++) {
         const part = assoc.where[i];
 
         if (part._links && !(assoc.where[i - 1] && assoc.where[i - 1] === 'exists')) {
+          if (part.$scope === '$self')
+            this.error('ref-unexpected-self', part.$path, { '#': 'exists-filter', elemref: assoc.id, id: part.ref[0] });
           for (const link of part._links) {
             if (link.art && link.art.target) {
               if (link.art.keys) { // managed - allow FK access
@@ -55,7 +61,7 @@ function checkForInvalidAssoc( assocs ) {
               }
               // Recursively drill down if the assoc-step has a filter
               if (part.ref[link.idx].where)
-                checkForInvalidAssoc.call(this, [ part.ref[link.idx] ]);
+                ensureValidFilters.call(this, [ part.ref[link.idx] ]);
             }
           }
         }
@@ -65,7 +71,7 @@ function checkForInvalidAssoc( assocs ) {
 }
 
 module.exports = {
-  having: forbidAssocInExists,
-  where: forbidAssocInExists,
-  xpr: forbidAssocInExists,
+  having: assertFilterOfExists,
+  where: assertFilterOfExists,
+  xpr: assertFilterOfExists,
 };

package/lib/checks/existsInForbiddenPlaces.js

@@ -0,0 +1,32 @@
+'use strict';
+
+const { applyTransformationsOnNonDictionary } = require('../model/csnUtils');
+
+/**
+ * Checks a query for forbidden usage of the `exists` predicate within `groupBy` and `orderBy`.
+ *
+ * @param {object} query
+ * @param {string} prop - either groupBy or orderBy.
+ * @param {object[]} _tokenStream the value of query[prop]
+ * @param {object|Array} pathToClause - Path to respective groupBy/orderBy clause in the CSN.
+ * @this {object} The calling context must provide an `error` function.
+ */
+function existsInForbiddenPlaces( query, prop, _tokenStream, pathToClause ) {
+  applyTransformationsOnNonDictionary(query, prop, {
+    ref: (_parent, _prop, _ref, pathToError, tokenStream, index) => {
+      if (tokenStream[index - 1] === 'exists') {
+        // the path should point to the exists
+        const pathToExists = pathToError.with(-1, index - 1);
+        this.error('query-unexpected-exists', pathToExists, {
+          '#': prop,
+          prop: 'exists',
+        });
+      }
+    },
+  }, null, pathToClause);
+}
+
+module.exports = {
+  groupBy: existsInForbiddenPlaces,
+  orderBy: existsInForbiddenPlaces,
+};

package/lib/checks/existsMustEndInAssoc.js

@@ -13,8 +13,8 @@ function existsMustEndInAssoc( parent, prop, expression, path ) {
     if (expression[i] === 'exists') {
       const next = expression[i + 1];
       const { _art } = next;
-      const errorPath = path.concat([ prop, i ]);
       if (!next.SELECT && !_art?.target) {
+        const errorPath = path.concat([ prop, i ]);
         this.error('ref-expecting-assoc', errorPath, {
           '#': _art.type ? 'with-type' : 'std',
           elemref: next,

package/lib/checks/existsMustNotStartWithDollarSelf.js

@@ -0,0 +1,31 @@
+'use strict';
+
+/**
+ * A path following an “exists” predicate must always end in an association.
+ *
+ * @param {object} parent
+ * @param {string} prop
+ * @param {Array} expression
+ * @param {CSN.Path} path
+ */
+function existsMustNotStartWithDollarSelf( parent, prop, expression, path ) {
+  for (let i = 0; i < expression?.length - 1; i++) {
+    if (expression[i] === 'exists') {
+      const next = expression[i + 1];
+      if (next.$scope === '$self') {
+        const errorPath = path.concat([ prop, i ]);
+        this.error('ref-unexpected-self', errorPath, {
+          '#': 'exists',
+          id: next.ref[0],
+          name: 'exists',
+        });
+      }
+    }
+  }
+}
+
+module.exports = {
+  having: existsMustNotStartWithDollarSelf,
+  where: existsMustNotStartWithDollarSelf,
+  xpr: existsMustNotStartWithDollarSelf,
+};

package/lib/checks/validator.js

@@ -43,7 +43,9 @@ const { validateAssociationsInItems } = require('./arrayOfs');
 const checkQueryForNoDBArtifacts = require('./queryNoDbArtifacts');
 const checkExplicitlyNullableKeys = require('./nullableKeys');
 const existsMustEndInAssoc = require('./existsMustEndInAssoc');
-const forbidAssocInExists = require('./existsExpressionsOnlyForeignKeys');
+const existsMustNotStartWithDollarSelf = require('./existsMustNotStartWithDollarSelf');
+const existsInForbiddenPlaces = require('./existsInForbiddenPlaces');
+const assertFilterOfExists = require('./existsExpressionsOnlyForeignKeys');
 const checkPathsInStoredCalcElement = require('./checkPathsInStoredCalcElement');
 const managedWithoutKeys = require('./managedWithoutKeys');
 const {
@@ -84,8 +86,10 @@ const forRelationalDBArtifactValidators = [
 
 const forRelationalDBCsnValidators = [
   checkCdsMap,
+  existsInForbiddenPlaces,
   existsMustEndInAssoc,
-  forbidAssocInExists,
+  existsMustNotStartWithDollarSelf,
+  assertFilterOfExists,
   navigationIntoMany,
   checkPathsInStoredCalcElement,
   featureFlags,

package/lib/compiler/assert-consistency.js

@@ -207,7 +207,7 @@ function assertConsistency( model, stage ) {
             'elements', '$autoElement', '$uncheckedElements', '_origin', '_extensions',
             '$requireElementAccess', '_effectiveType', '$effectiveSeqNo', '_deps',
             '$calcDepElement', '$filtered', '$enclosed', '_parent',
-            'deprecated', '$onlyInExprCtx',
+            'deprecated', '$restricted',
           ],
           schema: {
             kind: { test: isString, enum: [ 'builtin' ] },
@@ -216,7 +216,7 @@ function assertConsistency( model, stage ) {
             $uncheckedElements: { test: isBoolean },
             $requireElementAccess: { test: isBoolean },
             deprecated: { test: isBoolean },
-            $onlyInExprCtx: { test: TODO },
+            $restricted: { test: TODO },
             // missing location for normal "elements"
             elements: { test: TODO },
           },
@@ -316,7 +316,7 @@ function assertConsistency( model, stage ) {
         requires: [ 'location', 'path' ],
         optional: [
           'kind', 'name', '$syntax', '_block', '_parent', '_main',
-          'elements', '_origin', '_joinParent', '$joinArgsIndex', '$syntax',
+          'elements', '_origin', '_joinParent', '$joinArgsIndex',
           '$parens', '_status', // TODO: only in from
           'scope', '_artifact', '_originalArtifact', '$inferred', 'kind',
           '_effectiveType', '$effectiveSeqNo',         // TODO:check this
@@ -449,7 +449,7 @@ function assertConsistency( model, stage ) {
         requires: [ 'location', 'path' ],
         optional: [
           'scope', 'variant', '_artifact', '_originalArtifact',
-          '$inferred', '$parens', 'sort', 'nulls',
+          '$inferred', '$parens', 'sort', 'nulls', '$syntax',
         ],
       },
       none: { optional: () => true }, // parse error
@@ -507,7 +507,7 @@ function assertConsistency( model, stage ) {
     args: {
       inherits: 'value',
       optional: [
-        'name', '$duplicate', '$expected', 'args', 'suffix', '$parens',
+        'name', '$duplicate', 'args', 'suffix', '$parens',
         'param', 'scope', // for dynamic parameter '?'
       ],
       test: args,
@@ -724,7 +724,6 @@ function assertConsistency( model, stage ) {
         'localized-entity', // `.texts` entity
         'localized-origin', // `.texts` entity
         'nav', // only used for MASKED, TODO(v6): Remove
-        'none', // only used in ensureColumnName(): Used in object representing empty alias
         'query', // inferred query properties, e.g. `key`
         'rewrite', // on-conditions or FKeys are rewritten
         'parent-origin', // annotation/property copied from parent that does not come through
@@ -747,7 +746,6 @@ function assertConsistency( model, stage ) {
     $withLocalized: { test: isBoolean },
     $sources: { parser: true, test: isArray( isString ) },
     tokenStream: { parser: true, test: TODO },
-    $expected: { parser: true, test: isOneOf( [ 'approved-exists', 'exists' ] ) },
     $messageFunctions: { test: TODO },
     $functions: { test: TODO },
     $assert: { test: TODO },    // currently just for missing Error[ref-cycle]

package/lib/compiler/builtins.js

@@ -211,8 +211,7 @@ const magicVariables = {
     },
     // Require that elements are accessed, i.e. no $draft, only $draft.<element>.
     $requireElementAccess: true,
-    // See reference semantics in shared.js
-    $onlyInExprCtx: [ 'annotation', 'annoRewrite' ],
+    $restricted: true,          // only in annotation expression, see shared.js
   },
 };
 
@@ -454,8 +453,8 @@ function initBuiltins( model ) {
         art.$requireElementAccess = magic.$requireElementAccess;
       if (magic.deprecated)
         art.deprecated = magic.deprecated;
-      if (magic.$onlyInExprCtx)
-        art.$onlyInExprCtx = magic.$onlyInExprCtx;
+      if (magic.$restricted)
+        art.$restricted = magic.$restricted;
 
       createMagicElements( art, magic.elements );
       if (options.variableReplacements?.[id])
@@ -480,8 +479,8 @@ function initBuiltins( model ) {
       // Propagate this property so that it is available for sub-elements.
       if (art.$uncheckedElements)
         magic.$uncheckedElements = art.$uncheckedElements;
-      if (art.$onlyInExprCtx)
-        magic.$onlyInExprCtx = art.$onlyInExprCtx;
+      if (art.$restricted)
+        magic.$restricted = art.$restricted;
       setProp( magic, '_parent', art );
       // setProp( magic, '_effectiveType', magic );
       if (elements[id] && typeof elements[id] === 'object')

package/lib/compiler/checks.js

@@ -941,14 +941,8 @@ function check( model ) {
    */
   function checkExpressionIsNotAssocOrSelf( arg, user, rejectAssocTail ) {
     // Arg must not be an association and not $self
-    // Only if path is not approved exists path (that is non-query position)
-    if (arg.path && arg.$expected !== undefined) { // not 'approved-exists'
-      if (arg.$expected === 'exists') {
-        const variant = isComposition( model, arg._artifact ) ? 'expr-comp' : 'expr';
-        error( 'ref-unexpected-assoc', [ arg.location, user ], { '#': variant } );
-      }
-    }
-    else if (rejectAssocTail && isAssociationOperand( arg )) {
+    // Only if path is not after an `exists`
+    if (arg.$syntax !== 'after-exists' && rejectAssocTail && isAssociationOperand( arg )) {
       if (rejectAssocTail.rejectManaged && rejectAssocTail.rejectUnmanaged ||
           rejectAssocTail.rejectManaged && arg._artifact.keys ||
           rejectAssocTail.rejectUnmanaged && arg._artifact.on) {
@@ -956,6 +950,8 @@ function check( model ) {
         const context = rejectAssocTail.context === 'query' && 'query-' ||
           rejectAssocTail.context === 'anno' && 'anno-' ||
           '';
+        // Hm, in other message context about associations or compositions, we do
+        // not have separate text variants for association or composition…
         const variant = isComposition( model, arg._artifact ) ? 'expr-comp' : 'expr';
         error( 'ref-unexpected-assoc', [ arg.location, user ], { '#': `${ context }${ variant }` } );
       }