@sap/cds 5.9.2 → 5.9.5

package/CHANGELOG.md

@@ -4,6 +4,50 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 5.9.5 - 2022-05-09
+
+### Fixed
+
+- `HDB_TCP_KEEP_ALIVE_IDLE` config
+- A combination of `!=` operator and `or` in `where` clauses of `@restrict` annotations or when adjusting `req.query` in custom handlers (OData services only)
+- Programmatic calls to bound actions/functions do have keys in `req.data` again if compat flag `cds.env.features.keys_in_data_compat` is set
+
+## Version 5.9.4 - 2022-05-02
+
+### Fixed
+
+- Error messages are improved if no `passport` module was found or if no `xsuaa` service binding is available
+- Issue fixed for `srv.get()`. It was returning `TypeError` in plain REST usage for external services, e.g. `srv.get('/some/arbitrary/path/111')`
+- Allow unrestricted services to run unauthenticated, removing the `Unable to require required package/file "passport"` error. Totally not recommended in production.  Note that though this restores pre 5.9.0 behavior, this will come again starting in 6.0.
+- Audit logging of sensitive data in a composition child if its parent is annotated with `@PersonalData.EntitySemantics: 'Other'` and has no data privacy annotations other than `@PersonalData.FieldSemantics: 'DataSubjectID'` annotating a corresponding composition, for example:
+  ```js
+    annotate Customers with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'Other'
+    } {
+      addresses @PersonalData.FieldSemantics: 'DataSubjectID';
+    }
+    annotate CustomerPostalAddress with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'DataSubject'
+    } {
+      ID @PersonalData.FieldSemantics : 'DataSubjectID';
+      street @PersonalData.IsPotentiallyPersonal;
+      town @PersonalData.IsPotentiallySensitive;
+    }
+  ```
+
+## Version 5.9.3 - 2022-04-25
+
+### Fixed
+
+- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed.
+- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning.
+- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`.
+- Invalid batch requests were further processed after error response was already sent to client, leading to an InternalServerError
+- Full support of `SELECT` queries with operator expressions (`xpr`)
+
+
 ## Version 5.9.2 - 2022-04-07
 
 ### Fixed

package/lib/compile/for/drafts.js

@@ -4,6 +4,6 @@ module.exports = function cds_compile_for_drafts (csn,o) {
   const unfold = cds_compile_for_drafts.unfold || (
     cds_compile_for_drafts.unfold = require ('@sap/cds-compiler/lib/transform/draft/odata')
   )
-  // csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
+  csn = JSON.parse (JSON.stringify (csn)) // REVISIT: workaround for bad test setup
   return unfold (csn,o||{})
 }

package/lib/index.js

@@ -81,7 +81,7 @@ if (global.cds) Object.assign(module,{exports:global.cds}) ; else {
     ApplicationService: lazy => require('../libx/_runtime/cds-services/services/Service.js'),
     MessagingService: lazy => require('../libx/_runtime/messaging/service.js'),
     DatabaseService: lazy => require('../libx/_runtime/db/Service.js'),
-    RemoteService: lazy => require('../libx/_runtime/rest/service.js'),
+    RemoteService: lazy => require('../libx/_runtime/remote/Service.js'),
     AuditLogService: lazy => require('../libx/_runtime/audit/Service.js'),
     odata: require('../libx/odata'),
 

package/lib/serve/Service-methods.js

@@ -1,5 +1,12 @@
+const cds = require('..')
+const LOG = cds.log('cds-app-service-methods')
+
 
 module.exports = (srv) => {
+  if (!( //> we only support that for app services
+    srv instanceof cds.ApplicationService ||
+    srv instanceof cds.RemoteService
+  )) return
   for (const each of srv.operations) {
     add_handler_for (srv, each)
   }
@@ -16,7 +23,23 @@ const add_handler_for = (srv, def) => {
   // Use existing methods as handler implementations
   const method = srv[event]
   if (method) {
-    if (method._is_stub || method.name in srv.__proto__.__proto__) return
+    if (method._is_stub) return
+    const baseclass = (
+      srv.__proto__ === cds.ApplicationService.prototype ? srv.__proto__ :
+      srv.__proto__ === cds.RemoteService.prototype ? srv.__proto__ :
+      srv.__proto__.__proto__ // in case of class-based impls
+    )
+    if (method.name in baseclass) return LOG.warn(`WARNING: custom ${def.kind} '${event}()' conflicts with method in base class.
+
+      Cannot add typed method for custom ${def.kind} '${event}' to service impl of '${srv.name}',
+      as this would shadow equally named method in service base class '${baseclass.constructor.name}'.
+      Consider choosing a different name for your custom ${def.kind}.
+      Learn more at https://cap.cloud.sap/docs/guides/providing-services#actions-and-functions.
+    `)
+    LOG.debug (`
+      Using method ${event} from service class '${baseclass.constructor.name}'
+      as handler for ${def.kind} '${event}' in service '${srv.name}'
+    `)
     srv.on (event, function ({params,data}) {
       const args = []; if (def.parent) args.push (def.parent)
       for (let p in params) args.push(params[p])
@@ -26,6 +49,10 @@ const add_handler_for = (srv, def) => {
   }
 
   // Add stub methods to send request via typed API
+  LOG.debug (`
+    Adding typed method stub for calling custom ${def.kind} '${event}'
+    to service impl '${srv.name}'
+  `)
   const stub = srv[event] = function (...args) {
     const req = { event, data:{} }, $ = args[0]
     const target = this.entities [ $ && $.name ? $.name.match(/\w*$/)[0] : $ ]
@@ -35,6 +62,25 @@ const add_handler_for = (srv, def) => {
     }
     const {params} = target ? target.actions[event] : def
     if (params) req.data =  _named(args,params) || _positional(args,params)
+
+    // ensure legacy compat, keys in req.data
+    if(cds.env.features.keys_in_data_compat && target) {
+      // named/positional variant of keys
+      const named = req.params.length === 1 && typeof req.params[0] === 'object'
+
+      let pos = 0 //> counter for key in positional variant
+      for (const k in target.keys) {
+        if (req.data[k]) {
+          LOG._warn && LOG.warn(`
+          ${target.name} has defined ${k} as key and action parameter.
+          Key will be used in req.data.      
+          `)
+        }
+        req.data[k] = named ? req.params[0][k] : req.params[pos++]
+      }
+      
+    }
+
     return this.send (req)
   }
   stub._is_stub = true

package/libx/_runtime/auth/index.js

@@ -44,7 +44,10 @@ const _initializers = {
       // REVISIT: compat, remove with cds^6
       passport.use(new XSUAAStrategy(uaa.credentials))
     } else {
-      throw Object.assign(new Error('No or malformed credentials for auth kind "xsuaa"'), { credentials })
+      throw Object.assign(
+        new Error('No or malformed credentials for auth kind "xsuaa". Make sure to bind the app to an "xsuaa" service'),
+        { credentials }
+      )
     }
   }
 }
@@ -178,6 +181,18 @@ module.exports = (srv, app, options) => {
     // > dummy or mock authentication (for development/testing)
     _mountMockAuth(srv, app, strategy, config)
   } else {
+    // if no restriction and no binding, don't mount passport middleware
+    if (!restricted && !config.credentials) {
+      if (!logged) {
+        const msg = `Service ${srv.name} is unrestricted`
+        if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
+        else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
+      }
+
+      // no auth wanted > return
+      return
+    }
+
     // > passport authentication
     _mountPassportAuth(srv, app, strategy, config)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/deserializer/BatchRequestListBuilder.js

@@ -89,7 +89,9 @@ class BatchRequestListBuilder {
     source
       .pipe(reader)
       .on('finish', () => {
-        callback(null, this._requestInBatchList)
+        //Revisit: if statement needed in node v12 and v14, not in v16.
+        //Without it, finish callback reached in 12/14 after error handler was thrown
+        if (!source.res || !source.res.headersSent) callback(null, this._requestInBatchList)
       })
       .on('error', callback)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/utils/stream.js

@@ -30,9 +30,7 @@ const _adaptSubSelectsDraft = select => {
       if (element.SELECT) {
         _adaptSubSelectsDraft(element)
       } else if (element.xpr) {
-        for (const ele of element.xpr.filter(e => e.SELECT)) {
-          _adaptSubSelectsDraft(ele)
-        }
+        _adaptSubSelectsDraft({ SELECT: { from: {}, where: element.xpr } })
       }
     }
   }

package/libx/_runtime/common/aspects/utils.js

@@ -44,7 +44,9 @@ const hasPersonalData = entity => {
     for (const ele in entity.elements) {
       if (
         entity.elements[ele]['@PersonalData.IsPotentiallyPersonal'] ||
-        entity.elements[ele]['@PersonalData.IsPotentiallySensitive']
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
       ) {
         val = true
         break
@@ -58,7 +60,11 @@ const hasSensitiveData = entity => {
   let val
   if (entity['@PersonalData.DataSubjectRole'] && entity['@PersonalData.EntitySemantics']) {
     for (const ele in entity.elements) {
-      if (entity.elements[ele]['@PersonalData.IsPotentiallySensitive']) {
+      if (
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
+      ) {
         val = true
         break
       }

package/libx/_runtime/common/composition/data.js

@@ -12,20 +12,13 @@ const { SELECT } = cds.ql
  * own utils
  */
 
-const _isSameEntity = (cqn, req) => {
-  const where = cqn.UPDATE.where || []
-  const persistentObj = Array.isArray(req._.partialPersistentState)
-    ? req._.partialPersistentState[0]
-    : req._.partialPersistentState
-  if (!persistentObj) {
-    // If no data was found we don't know if it is the same entity
-    return false
-  }
-  const target = getDBTable(req.target)
-  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
-    return false
-  }
+const _isSameEntityInWhere = (where, target, persistentObj) => {
   for (let i = 0; i < where.length; i++) {
+    if (where[i].xpr) {
+      const res = _isSameEntityInWhere(where[i].xpr, target, persistentObj)
+      if (!res) return res
+      continue
+    }
     if (!where[i] || !where[i].ref || !target.elements[where[i].ref]) {
       continue
     }
@@ -40,6 +33,22 @@ const _isSameEntity = (cqn, req) => {
   return true
 }
 
+const _isSameEntity = (cqn, req) => {
+  const where = cqn.UPDATE.where || []
+  const persistentObj = Array.isArray(req._.partialPersistentState)
+    ? req._.partialPersistentState[0]
+    : req._.partialPersistentState
+  if (!persistentObj) {
+    // If no data was found we don't know if it is the same entity
+    return false
+  }
+  const target = getDBTable(req.target)
+  if (target.name !== (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) && target.name !== cqn.UPDATE.entity) {
+    return false
+  }
+  return _isSameEntityInWhere(where, target, persistentObj)
+}
+
 const _getLinksOfCompTree = compositionTree => {
   const links = []
   for (const link of [...compositionTree.backLinks, ...compositionTree.customBackLinks]) {

package/libx/_runtime/common/composition/delete.js

@@ -216,6 +216,18 @@ const resolveNavigationTarget = (cqn, ref, model) => {
   return { target, elementName }
 }
 
+const _getDataFromOncond = (onCond, parent) => {
+  return onCond.reduce((res, e) => {
+    if (e.xpr) {
+      return Object.assign(res, _getDataFromOncond(e.xpr, parent))
+    }
+    if (!e.ref || e.ref[0] !== '$$parent') return res
+    const fk = e.ref.slice(1).join('_')
+    if (!parent.keys[fk]) res[fk] = null
+    return res
+  }, {})
+}
+
 // eslint-disable-next-line complexity
 const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
   const cqns = []
@@ -229,12 +241,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     const element = parent.elements[elementName]
     if (element && element._isCompositionEffective && element.is2one) {
       const onCond = element && parent._relations[element.name].join('$$whatever', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       cqn.data(data)
       cqn.__4delete = true
       if (Object.keys(data).length) cqns.push(cqn)
@@ -247,12 +254,7 @@ const getSetNullParentForeignKeyCQNs = async (model, req, dbQuery) => {
     for (const element of comp2oneParents) {
       const parent = element.parent
       const onCond = parent._relations[element.name].join('$$child', '$$parent')
-      const data = onCond.reduce((res, e) => {
-        if (!e.ref || e.ref[0] !== '$$parent') return res
-        const fk = e.ref.slice(1).join('_')
-        if (!parent.keys[fk]) res[fk] = null
-        return res
-      }, {})
+      const data = _getDataFromOncond(onCond, parent)
       const columns = getColumns(parent, { _4db: true, onlyKeys: true }).map(c => ({ ref: ['$$parent', c.name] }))
       const as = query.DELETE.from.as || (query.DELETE.from.ref && query.DELETE.from.ref[0]) || query.DELETE.from
       const selectCQN = SELECT.from(`${parent.name} as $$parent`)

package/libx/_runtime/common/generic/auth/expand.js

@@ -41,6 +41,7 @@ const _getRestrictedExpand = (columns, target, definitions) => {
 }
 
 function handler(req) {
+  if (!req.query) return
   const restricted = _getRestrictedExpand(
     req.query.SELECT && req.query.SELECT.columns,
     req.target,

package/libx/_runtime/common/generic/input.js

@@ -184,6 +184,7 @@ const _getBoundActionBindingParameter = req => {
 }
 
 function _handler(req) {
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   const template = getTemplate('app-input', this, req.target, { pick: _pick })

package/libx/_runtime/common/generic/put.js

@@ -57,6 +57,7 @@ const _pick = element => {
 
 function _handler(req) {
   if (req.method !== 'PUT') return
+  if (!req.query) return // FIXME: the code below expects req.query to be defined
   if (!req.target) return
 
   // not for payloads with stream properties

package/libx/_runtime/common/utils/cqn.js

@@ -16,20 +16,16 @@ const getEntityNameFromUpdateCQN = cqn => {
   return (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) || cqn.UPDATE.entity.name || cqn.UPDATE.entity
 }
 
-const addToWhere = (cqn, where) => {
-  const partial = cqn.SELECT || cqn.UPDATE || cqn.DELETE
-  if (!partial.where) partial.where = where
-  else {
-    partial.where.unshift('(')
-    partial.where.push(')', 'and', '(', ...where, ')')
-  }
-}
-
 // scope: simple wheres à la "[{ ref: ['foo'] }, '=', { val: 'bar' }, 'and', ... ]"
 function where2obj(where, target = null) {
   const data = {}
   for (let i = 0; i < where.length; i++) {
     const whereEl = where[i]
+
+    if (whereEl.xpr) {
+      where2obj(whereEl.xpr, target, data)
+    }
+
     const colName = whereEl.ref && whereEl.ref[whereEl.ref.length - 1]
     // optional validation if target is passed
     if (target) {
@@ -85,7 +81,6 @@ function isPathToDraft(path, model) {
 }
 
 module.exports = {
-  addToWhere,
   getEntityNameFromDeleteCQN,
   getEntityNameFromUpdateCQN,
   where2obj,

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -12,7 +12,6 @@ const { getEntityNameFromCQN } = require('./entityFromCqn')
 const getError = require('../../common/error')
 const { rewriteAsterisks } = require('./rewriteAsterisks')
 const { getPathFromRef, getEntityFromPath } = require('../../common/utils/path')
-const { addToWhere } = require('../../common/utils/cqn')
 const { removeIsActiveEntityRecursively } = require('../../fiori/utils/where')
 const { addRefToWhereIfNecessary } = require('../../../odata/afterburner')
 const { addAliasToExpression, PARENT_ALIAS, FOREIGN_ALIAS } = require('../../db/utils/generateAliases')
@@ -240,11 +239,14 @@ const _convertCountNavigation = (SELECT, target) => {
 }
 
 const _addTableName = (where, tableName) => {
-  return where.map(ref => {
-    if (ref.ref) {
-      ref.ref.unshift(tableName)
+  return where.map(whereEl => {
+    if (whereEl.xpr) {
+      return { xpr: _addTableName(whereEl.xpr, tableName) }
     }
-    return ref
+    if (whereEl.ref) {
+      whereEl.ref.unshift(tableName)
+    }
+    return whereEl
   })
 }
 
@@ -444,10 +446,7 @@ const convertWhereExists = (query, model, options, currentTarget) => {
     outerAlias = as || PARENT_ALIAS + lambdaIteration
     innerAlias = FOREIGN_ALIAS + lambdaIteration
   } else {
-    const element = currentTarget.elements[ref]
-    if (element && element.isAssociation) {
-      queryTarget = element._target
-    }
+    queryTarget = getEntityFromPath({ ref }, currentTarget)
   }
 
   if (where) {
@@ -488,16 +487,16 @@ const _convertNotEqual = (container, partName = 'where') => {
   const where = container[partName]
 
   if (where) {
-    let changed
-    where.forEach((el, index) => {
+    for (let index = 0; index < where.length; index++) {
+      const el = where[index]
       if (el === '!=') {
         const refIndex = _getRefIndex(where, index)
         if (refIndex !== undefined) {
           where[index - 1] = {
             xpr: [where[index - 1], el, where[index + 1], 'or', where[refIndex], '=', { val: null }]
           }
-          where[index] = where[index + 1] = undefined
-          changed = true
+          where.splice(index, 2)
+          --index
         }
       }
 
@@ -505,11 +504,6 @@ const _convertNotEqual = (container, partName = 'where') => {
         if (el.SELECT) _convertNotEqual(el.SELECT, partName)
         if (el.xpr) _convertNotEqual(el, 'xpr')
       }
-    })
-
-    // delete undefined values
-    if (changed) {
-      container[partName] = where.filter(el => el)
     }
   }
 
@@ -562,6 +556,10 @@ const _convertOrderByOrWhereCQN = (orderByOrWhereCQN, target, model, alias, proc
   const queryTarget = model.definitions[ensureNoDraftsSuffix(target)]
 
   orderByOrWhereCQN.forEach((el, index) => {
+    if (el.xpr) {
+      _convertOrderByOrWhereCQN(el.xpr, target, model, alias, processFn)
+      return
+    }
     if (el.ref && _skip(queryTarget, el.ref, alias, model)) processFn(orderByOrWhereCQN, index)
   })
 }
@@ -603,86 +601,56 @@ const _convertRefWhereInExpand = columns => {
   }
 }
 
-const _flattenCQN = cqn => {
-  if (Array.isArray(cqn)) cqn.forEach(_flattenCQN)
-  else if (cqn) {
-    if (cqn.SELECT) _flattenCQN(cqn.SELECT)
-    if (cqn.from) _flattenCQN(cqn.from)
-    if (cqn.ref) _flattenCQN(cqn.ref)
-    if (cqn.SET) _flattenCQN(cqn.SET)
-    if (cqn.args) _flattenCQN(cqn.args)
-    if (cqn.columns) _flattenCQN(cqn.columns)
-    if (cqn.expand) _flattenCQN(cqn.expand)
-    if (cqn.where) _flattenXpr(cqn.where)
-    if (cqn.having) _flattenXpr(cqn.having)
+const _convertPathExpression = (query, model, options = {}) => {
+  const prevAlias = query.SELECT.from.as
+  for (const whereEl of query.SELECT.where || []) {
+    if (typeof whereEl === 'object' && whereEl.SELECT) _convertPathExpression(whereEl, model)
   }
-}
-
-const _flattenXpr = cqn => {
-  if (!Array.isArray(cqn)) {
-    if (cqn.xpr) cqn = cqn.xpr
-    return
-  }
-
-  let idx = cqn.findIndex(el => el.xpr)
-  while (idx > -1) {
-    cqn.splice(idx, 1, '(', ...cqn[idx].xpr, ')')
-    idx = cqn.findIndex(el => el.xpr)
-  }
-
-  cqn.forEach(_flattenCQN)
-}
-
-const _convertPathExpression = (SELECT, model, options = {}) => {
-  const prevAlias = SELECT.from.as
-  for (const whereEl of SELECT.where || []) {
-    if (typeof whereEl === 'object' && whereEl.SELECT) _convertPathExpression(whereEl.SELECT, model)
-  }
-  const conversion = convertPathExpressionToWhere(SELECT.from, model, options)
+  const conversion = convertPathExpressionToWhere(query.SELECT.from, model, options)
   if (!conversion) return
   const { target, alias, where, cardinality, columns, args } = conversion
 
   // REVISIT: It's not possible to just change the reference (i.e. SELECT.from.ref = [target])
   // as many parts of our code base still refer to SELECT.from (e.g. authorization)
   if (args) {
-    SELECT.from = { ref: [{ id: target, args }] }
+    query.SELECT.from = { ref: [{ id: target, args }] }
   } else {
-    SELECT.from = { ref: [target] }
+    query.SELECT.from = { ref: [target] }
   }
   if (alias) {
-    SELECT.from.as = alias
-    if (SELECT.where && alias !== prevAlias) {
-      SELECT.where = addAliasToExpression(SELECT.where, alias)
+    query.SELECT.from.as = alias
+    if (query.SELECT.where && alias !== prevAlias) {
+      query.SELECT.where = addAliasToExpression(query.SELECT.where, alias)
     }
   }
   if (columns) {
     // TODO: use streaming as outer property
-    if (options.isStreaming) SELECT.columns = columns
+    if (options.isStreaming) query.SELECT.columns = columns
     else {
-      if (!SELECT.columns) {
+      if (!query.SELECT.columns) {
         // Okra always wants to have the key values, remove once we relax this requirement
         if (model.definitions[target] && model.definitions[target].keys) {
-          SELECT.columns = Object.keys(model.definitions[target].keys)
+          query.SELECT.columns = Object.keys(model.definitions[target].keys)
             .filter(
               k =>
                 !model.definitions[target].keys[k].isAssociation &&
                 !columns.find(element => element.ref && element.ref[element.ref.length - 1] === k)
             )
             .map(k => ({ ref: [k] }))
-        } else SELECT.columns = []
+        } else query.SELECT.columns = []
       }
-      SELECT.columns.push(...columns)
+      query.SELECT.columns.push(...columns)
     }
   }
   if (cardinality && cardinality.max === 1) {
-    SELECT.one = true
+    query.SELECT.one = true
   }
   // TODO: REVISIT: We need to add alias to subselect in .where, .columns, .from, ... etc
   if (where) {
     if (options._4fiori) {
-      addToWhere({ SELECT }, where)
+      query.where(where)
     } else {
-      addToWhere({ SELECT }, removeIsActiveEntityRecursively(where))
+      query.where(removeIsActiveEntityRecursively(where))
     }
   }
 }
@@ -693,6 +661,9 @@ const _convertToOneEqNullInFilter = (query, target) => {
 
   for (let i = 0; i < query.where.length; i++) {
     const w = query.where[i]
+    if (w.xpr) {
+      _convertToOneEqNullInFilter({ where: w.xpr }, target)
+    }
     const w2 = query.where[i + 2]
     if (!w2 || !w.ref || w2.val !== null) {
       continue
@@ -716,10 +687,6 @@ const _convertToOneEqNullInFilter = (query, target) => {
 
 // eslint-disable-next-line complexity
 const _convertSelect = (query, model, _options) => {
-  const { _initial } = _options
-  if (_initial) {
-    delete _options._initial
-  }
   const options = Object.assign(
     {
       _4db: _options.service instanceof cds.DatabaseService,
@@ -744,7 +711,7 @@ const _convertSelect = (query, model, _options) => {
     _convertNotEqual(query.SELECT, 'having')
   }
 
-  _convertPathExpression(query.SELECT, model, options)
+  _convertPathExpression(query, model, options)
   rewriteAsterisks(query, model, options)
   if (query.SELECT.where) {
     const entityName =
@@ -795,9 +762,6 @@ const _convertSelect = (query, model, _options) => {
     }
   }
 
-  // temporary workaround for xpr - cds v5.9.2 only
-  if (_initial) _flattenCQN(query)
-
   return query
 }
 
@@ -937,7 +901,7 @@ const _convertUpdate = (query, model, options) => {
  */
 const cqn2cqn4sql = (query, model, options = { suppressSearch: false }) => {
   if (query.SELECT) {
-    return _convertSelect(query, model, Object.assign(options, { _initial: true }))
+    return _convertSelect(query, model, options)
   }
 
   if (query.UPDATE) {

package/libx/_runtime/common/utils/foreignKeyPropagations.js

@@ -1,24 +1,44 @@
-const _getSubOns = element => {
-  // this only works for on conds with `and`, once we support `or` this needs to be adjusted
-  const newOn = element.on ? element.on.filter(e => e !== '(' && e !== ')') : []
-  const subOns = []
+const _normalizedRef = o => (o && o.ref && o.ref.length > 1 && o.ref[0] === '$self' ? { ref: o.ref.slice(1) } : o)
+
+const _sub = (newOn, subOns = []) => {
   let currArr = []
 
-  for (const onEl of newOn) {
-    if (currArr.length === 0) subOns.push(currArr)
+  for (let i = 0; i < newOn.length; i++) {
+    const onEl = newOn[i]
+
+    if (onEl === 'or') {
+      // abort condition for or
+      subOns.push([])
+      return subOns
+    }
+    if (onEl.xpr) {
+      _sub(onEl.xpr, subOns)
+      // after xpr there usually should be and/or
+      i++
+      continue
+    }
+    if (currArr.length === 0) {
+      subOns.push(currArr)
+    }
     if (onEl !== 'and') currArr.push(onEl)
     else {
       currArr = []
     }
   }
 
+  return subOns
+}
+
+const _getSubOns = element => {
+  const newOn = element.on || []
+  const subOns = _sub(newOn)
+
   for (const subOn of subOns) {
     // We don't support anything else than
     // A = B AND C = D AND ...
     if (subOn.length !== 3) return []
   }
-
-  return subOns
+  return subOns.map(subOn => subOn.map(ref => _normalizedRef(ref)))
 }
 
 const _parentFieldsFromSimpleOnCond = (element, subOn) => {