@sap/cds 5.9.3 → 5.9.6

package/CHANGELOG.md

@@ -4,13 +4,60 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+
+## Version 5.9.6 - 2022-05-24
+
+### Fixed
+
+- Ignored requests in batch requests
+- `pool` module for logger facade is separated from `hana` database logger. Timeout error by acquiring client from pool is now enhanced with `_poolState` providing current pool attibutes.
+- Multiple errors did not have correct HTTP response status code
+- `POST|PUT|PATCH` requests with `charset` directive in `Content-Type` header (e.g. `Content-Type: application/json; charset=utf-8`) no longer issues an error "Invalid content type" in REST adapters
+- Call hana procedure:
+  + accepted are any symbols in a procedure name if it is delimited with a double quotation (`"`)
+  + fixed results for table output parameters when using `@sap/hana-client`; **limitation**: output parameters in a `CALL` statement must follow the same order used in a stored procedure definition
+- `@odata.context` considers `cds.env.odata.contextAbsoluteUrl` when requesting an OData Service
+
+## Version 5.9.5 - 2022-05-09
+
+### Fixed
+
+- `HDB_TCP_KEEP_ALIVE_IDLE` config
+- A combination of `!=` operator and `or` in `where` clauses of `@restrict` annotations or when adjusting `req.query` in custom handlers (OData services only)
+- Programmatic calls to bound actions/functions do have keys in `req.data` again if compat flag `cds.env.features.keys_in_data_compat` is set
+
+## Version 5.9.4 - 2022-05-02
+
+### Fixed
+
+- Error messages are improved if no `passport` module was found or if no `xsuaa` service binding is available
+- Issue fixed for `srv.get()`. It was returning `TypeError` in plain REST usage for external services, e.g. `srv.get('/some/arbitrary/path/111')`
+- Allow unrestricted services to run unauthenticated, removing the `Unable to require required package/file "passport"` error. Totally not recommended in production.  Note that though this restores pre 5.9.0 behavior, this will come again starting in 6.0.
+- Audit logging of sensitive data in a composition child if its parent is annotated with `@PersonalData.EntitySemantics: 'Other'` and has no data privacy annotations other than `@PersonalData.FieldSemantics: 'DataSubjectID'` annotating a corresponding composition, for example:
+  ```js
+    annotate Customers with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'Other'
+    } {
+      addresses @PersonalData.FieldSemantics: 'DataSubjectID';
+    }
+    annotate CustomerPostalAddress with @PersonalData : {
+      DataSubjectRole : 'Address',
+      EntitySemantics : 'DataSubject'
+    } {
+      ID @PersonalData.FieldSemantics : 'DataSubjectID';
+      street @PersonalData.IsPotentiallyPersonal;
+      town @PersonalData.IsPotentiallySensitive;
+    }
+  ```
+
 ## Version 5.9.3 - 2022-04-25
 
 ### Fixed
 
-- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed. 
-- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning. 
-- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`. 
+- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed.
+- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning.
+- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`.
 - Invalid batch requests were further processed after error response was already sent to client, leading to an InternalServerError
 - Full support of `SELECT` queries with operator expressions (`xpr`)
 

package/lib/serve/Service-methods.js

@@ -62,6 +62,25 @@ const add_handler_for = (srv, def) => {
     }
     const {params} = target ? target.actions[event] : def
     if (params) req.data =  _named(args,params) || _positional(args,params)
+
+    // ensure legacy compat, keys in req.data
+    if(cds.env.features.keys_in_data_compat && target) {
+      // named/positional variant of keys
+      const named = req.params.length === 1 && typeof req.params[0] === 'object'
+
+      let pos = 0 //> counter for key in positional variant
+      for (const k in target.keys) {
+        if (req.data[k]) {
+          LOG._warn && LOG.warn(`
+          ${target.name} has defined ${k} as key and action parameter.
+          Key will be used in req.data.      
+          `)
+        }
+        req.data[k] = named ? req.params[0][k] : req.params[pos++]
+      }
+      
+    }
+
     return this.send (req)
   }
   stub._is_stub = true

package/libx/_runtime/auth/index.js

@@ -44,7 +44,10 @@ const _initializers = {
       // REVISIT: compat, remove with cds^6
       passport.use(new XSUAAStrategy(uaa.credentials))
     } else {
-      throw Object.assign(new Error('No or malformed credentials for auth kind "xsuaa"'), { credentials })
+      throw Object.assign(
+        new Error('No or malformed credentials for auth kind "xsuaa". Make sure to bind the app to an "xsuaa" service'),
+        { credentials }
+      )
     }
   }
 }
@@ -178,6 +181,18 @@ module.exports = (srv, app, options) => {
     // > dummy or mock authentication (for development/testing)
     _mountMockAuth(srv, app, strategy, config)
   } else {
+    // if no restriction and no binding, don't mount passport middleware
+    if (!restricted && !config.credentials) {
+      if (!logged) {
+        const msg = `Service ${srv.name} is unrestricted`
+        if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
+        else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
+      }
+
+      // no auth wanted > return
+      return
+    }
+
     // > passport authentication
     _mountPassportAuth(srv, app, strategy, config)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -28,11 +28,7 @@ const _read = require('./handlers/read')
 const _action = require('./handlers/action')
 const { normalizeError, isClientError } = require('../../../common/error/frontend')
 
-let _i18n
-const i18n = (...args) => {
-  if (!_i18n) _i18n = require('../../../common/i18n')
-  return _i18n(...args)
-}
+const { getErrorMessage } = require('../../../common/error/utils')
 
 function _log(level, arg) {
   const { params } = arg
@@ -51,31 +47,30 @@ function _log(level, arg) {
   if (!obj.level) obj.level = arg.level
   if (!obj.timestamp) obj.timestamp = arg.timestamp
 
-  // replace messages in toLog with developer texts (i.e., undefined locale) iff level === 'error' (cf. req.reject() etc.)
-  const _message = obj.message
-  const _details = obj.details
   if (level === 'error') {
-    obj.message = i18n(obj.message || obj.code, undefined, obj.args) || obj.message
-    if (obj.details) {
-      const details = []
-      for (const d of obj.details) {
-        details.push(Object.assign({}, d, { message: i18n(d.message || d.code, undefined, d.args) || d.message }))
-      }
-      obj.details = details
-    }
-
     // reduce 4xx to warning
     if (isClientError(obj)) {
       if (!LOG._warn) {
         // restore
-        obj.message = _message
-        if (_details) obj.details = _details
         return
       }
       level = 'warn'
     }
   }
 
+  // replace messages in toLog with developer texts (i.e., undefined locale) (cf. req.reject() etc.)
+  const _message = obj.message
+  const _details = obj.details
+
+  obj.message = getErrorMessage(obj)
+  if (obj.details) {
+    const details = []
+    for (const d of obj.details) {
+      details.push(Object.assign({}, d, { message: getErrorMessage(d) }))
+    }
+    obj.details = details
+  }
+
   // log it
   LOG[level](obj)
 

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/deserializer/MultipartReader.js

@@ -243,7 +243,7 @@ class MultipartParser extends Reader {
     // the nested multipart is finished.
 
     if (this._stopPattern) {
-      if (cache.length - cache.getReadPos() < this._stopPattern.length) {
+      if (cache._length - cache.getReadPos() < this._stopPattern.length) {
         return true
       }
       if (cache.indexOf(this._stopPattern, cache.getSearchPosition()) === cache.getSearchPosition()) {

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/serializer/ContextURLFactory.js

@@ -28,14 +28,12 @@ class ContextURLFactory {
   createContextURL(uriInfo, expand, representationKind, providedKeyMap = new Map(), edm, request, logger) {
     const pathSegments = uriInfo.getPathSegments()
     const lastSegment = pathSegments[pathSegments.length - 1]
-
-    if (lastSegment.getKind() === ResourceKind.SERVICE) return '$metadata'
-    if (lastSegment.getKind() === ResourceKind.METADATA) return ''
-
     const contextUrlInfo = this._parseSegments(pathSegments, providedKeyMap, edm)
-
     const contextUrlPrefix = this._buildContextUrlPrefix(contextUrlInfo, pathSegments, request, logger)
 
+    if (lastSegment.getKind() === ResourceKind.SERVICE) return `${contextUrlPrefix}$metadata`
+    if (lastSegment.getKind() === ResourceKind.METADATA) return ''
+
     const finalEdmType = uriInfo.getFinalEdmType()
     const structuredType =
       finalEdmType && (finalEdmType.getKind() === EdmTypeKind.ENTITY || finalEdmType.getKind() === EdmTypeKind.COMPLEX)
@@ -93,6 +91,9 @@ class ContextURLFactory {
 
       const kind = segment.getKind()
       switch (kind) {
+        case ResourceKind.SERVICE:
+        case ResourceKind.METADATA:
+          return { result: '', isOnlyTyped, isEntity, hasReferencedSegment }
         case ResourceKind.ENTITY:
           target = segment.getEntitySet()
           result.unshift(

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/serializer/ServiceJsonSerializer.js

@@ -34,7 +34,7 @@ class ServiceJsonSerializer {
   serialize (data) {
     try {
       let outputJson = {
-        [JsonAnnotations.CONTEXT]: '$metadata',
+        [JsonAnnotations.CONTEXT]: data[MetaProperties.CONTEXT] || '$metadata',
         [JsonAnnotations.METADATA_ETAG]:
           data[MetaProperties.ETAG] === null || data[MetaProperties.ETAG] === undefined
             ? undefined

package/libx/_runtime/cds-services/adapter/rest/utils/header-checks.js

@@ -1,7 +1,11 @@
 const getError = require('../../../../common/error')
 
 const contentTypeCheck = req => {
-  if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
+  const contentType = req.headers['content-type'] && req.headers['content-type'].split(';')
+  if (
+    contentType &&
+    (!contentType[0].match(/^application\/json$/) || (typeof contentType[1] === 'string' && !contentType[1]))
+  ) {
     throw getError(415, 'INVALID_CONTENT_TYPE_ONLY_JSON')
   }
 }

package/libx/_runtime/common/aspects/utils.js

@@ -44,7 +44,9 @@ const hasPersonalData = entity => {
     for (const ele in entity.elements) {
       if (
         entity.elements[ele]['@PersonalData.IsPotentiallyPersonal'] ||
-        entity.elements[ele]['@PersonalData.IsPotentiallySensitive']
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
       ) {
         val = true
         break
@@ -58,7 +60,11 @@ const hasSensitiveData = entity => {
   let val
   if (entity['@PersonalData.DataSubjectRole'] && entity['@PersonalData.EntitySemantics']) {
     for (const ele in entity.elements) {
-      if (entity.elements[ele]['@PersonalData.IsPotentiallySensitive']) {
+      if (
+        entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
+        (entity.elements[ele]['@PersonalData.FieldSemantics'] &&
+          entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
+      ) {
         val = true
         break
       }

package/libx/_runtime/common/error/frontend.js

@@ -6,6 +6,9 @@
  *   Error responses MAY contain annotations in any of its JSON objects.
  */
 
+const localeFrom = require('../../../../lib/req/locale')
+const { getErrorMessage } = require('./utils')
+
 let _i18n
 const i18n = (...args) => {
   if (!_i18n) _i18n = require('../i18n')
@@ -60,7 +63,7 @@ const _rewrite = error => {
 
 const _normalize = (err, locale, inner = false) => {
   // message (i18n)
-  err.message = i18n(err.message || err.code, locale, err.args) || err.message || `${err.code}`
+  err.message = getErrorMessage(err, locale)
 
   // only allowed properties
   const error = _getFiltered(err)
@@ -68,31 +71,37 @@ const _normalize = (err, locale, inner = false) => {
   // ensure code is set and a string
   error.code = String(error.code || 'null')
 
+  // REVISIT: code and message rewriting
+  _rewrite(error)
+
+  let statusCode = err.status || err.statusCode || (_isAllowedError(error.code) && error.code)
+
   // details
   if (!inner && err.details) {
-    error.details = err.details.map(ele => _normalize(ele, locale, true))
+    const childErrorCodes = new Set()
+    error.details = err.details.map(ele => {
+      const { error: childError, statusCode: childStatusCode } = _normalize(ele, locale, true)
+      childErrorCodes.add(childStatusCode)
+      return childError
+    })
+    statusCode = statusCode || _statusCodeFromDetails(childErrorCodes)
   }
 
-  // REVISIT: code and message rewriting
-  _rewrite(error)
+  // make sure it's a number, if it's an inner error don't set to 500, as will be set on root level if no other inner error has a statusCode
+  statusCode = statusCode ? Number(statusCode) : inner ? undefined : 500
 
-  return error
+  return { error, statusCode }
 }
 
 const _isAllowedError = errorCode => {
   return errorCode >= 300 && errorCode < 505
 }
 
-const localeFrom = require('../../../../lib/req/locale')
-
 // - for one unique value, we use it
 // - if at least one 5xx exists, we use 500
 // - else if at least one 4xx exists, we use 400
 // - else we use 500
-const _statusCodeFromDetails = details => {
-  const uniqueStatusCodes = new Set(
-    details.map(d => d.status || d.statusCode || d.code).map(c => (!isNaN(c) && Number(c)) || c)
-  )
+const _statusCodeFromDetails = uniqueStatusCodes => {
   if (uniqueStatusCodes.size === 1) return uniqueStatusCodes.values().next().value
   if ([...uniqueStatusCodes].some(s => s >= 500)) return 500
   if ([...uniqueStatusCodes].some(s => s >= 400)) return 400
@@ -101,17 +110,7 @@ const _statusCodeFromDetails = details => {
 
 const normalizeError = (err, req) => {
   const locale = req.locale || (req.locale = localeFrom(req))
-  const error = _normalize(err, locale)
-
-  // derive status code from err status OR root code OR matching detail codes
-  let statusCode = err.status || err.statusCode || (_isAllowedError(error.code) && error.code)
-  if (!statusCode && error.details) {
-    const detailsCode = _statusCodeFromDetails(error.details)
-    if (_isAllowedError(detailsCode)) statusCode = detailsCode
-  }
-
-  // make sure it's a number
-  statusCode = statusCode ? Number(statusCode) : 500
+  const { error, statusCode } = _normalize(err, locale)
 
   // REVISIT: make === 500 in cds^6
   // error[SKIP_SANITIZATION] is not an official API!!!
@@ -138,7 +137,7 @@ const _ensureSeverity = arg => {
 }
 
 const _normalizeMessage = (message, locale) => {
-  const normalized = _normalize(message, locale)
+  const { error: normalized } = _normalize(message, locale)
 
   // numericSeverity without @Common
   normalized.numericSeverity = _ensureSeverity(message.numericSeverity)
@@ -164,7 +163,7 @@ const getSapMessages = (messages, req) => {
 
 const isClientError = e => {
   // e.code may be undefined, string, number, ... -> NaN -> not a client error
-  const numericCode = e.statusCode || Number(e.code)
+  const numericCode = e.statusCode || e.status || Number(e.code)
   return numericCode >= 400 && numericCode < 500
 }
 

package/libx/_runtime/common/error/utils.js

@@ -0,0 +1,24 @@
+let _i18n
+// REVISIT does it really make sense to delay i18n require here?
+const i18n = (...args) => {
+  if (!_i18n) _i18n = require('../i18n')
+  return _i18n(...args)
+}
+
+/**
+ * Gets the localized error message for an error based on message, code, statusCode or status
+ * @param {*} error
+ * @param {*} locale can be undefined for default language
+ * @returns localized error message
+ */
+function getErrorMessage(error, locale) {
+  return (
+    i18n(error.message || error.code || error.status || error.statusCode, locale, error.args) ||
+    error.message ||
+    `${error.code || error.status || error.statusCode}`
+  )
+}
+
+module.exports = {
+  getErrorMessage
+}

package/libx/_runtime/common/generic/auth/expand.js

@@ -41,6 +41,7 @@ const _getRestrictedExpand = (columns, target, definitions) => {
 }
 
 function handler(req) {
+  if (!req.query) return
   const restricted = _getRestrictedExpand(
     req.query.SELECT && req.query.SELECT.columns,
     req.target,

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -487,16 +487,16 @@ const _convertNotEqual = (container, partName = 'where') => {
   const where = container[partName]
 
   if (where) {
-    let changed
-    where.forEach((el, index) => {
+    for (let index = 0; index < where.length; index++) {
+      const el = where[index]
       if (el === '!=') {
         const refIndex = _getRefIndex(where, index)
         if (refIndex !== undefined) {
           where[index - 1] = {
             xpr: [where[index - 1], el, where[index + 1], 'or', where[refIndex], '=', { val: null }]
           }
-          where[index] = where[index + 1] = undefined
-          changed = true
+          where.splice(index, 2)
+          --index
         }
       }
 
@@ -504,11 +504,6 @@ const _convertNotEqual = (container, partName = 'where') => {
         if (el.SELECT) _convertNotEqual(el.SELECT, partName)
         if (el.xpr) _convertNotEqual(el, 'xpr')
       }
-    })
-
-    // delete undefined values
-    if (changed) {
-      container[partName] = where.filter(el => el)
     }
   }
 

package/libx/_runtime/common/utils/require.js

@@ -3,6 +3,7 @@ module.exports = name => {
   try {
     return require(name)
   } catch (e) {
-    throw new Error(`Unable to require required package/file "${name}"`)
+    e.message = `Cannot find module '${name}'. Make sure to install it with 'npm i ${name}'\n` + e.message
+    throw e
   }
 }

package/libx/_runtime/hana/driver.js

@@ -37,7 +37,7 @@ function _connectHdb(creds, tenant) {
     // tls keep alive
     if (process.env.HDB_TCP_KEEP_ALIVE_IDLE) {
       const num = Number(process.env.HDB_TCP_KEEP_ALIVE_IDLE)
-      creds.tcpKeepAliveIdle = Number.NaN(num) ? false : num
+      creds.tcpKeepAliveIdle = Number.isNaN(num) ? false : num
     }
 
     const hdbClient = this.createClient(creds)

package/libx/_runtime/hana/execute.js

@@ -49,13 +49,10 @@ function _getBinaries(stmt) {
 
 const BASE64 = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}={2})$/
 
-function _isProcedureCall(sql) {
-  return sql.trim().match(/^call \s*"{0,1}\w*/i)
-}
-
 function _getProcedureName(sql) {
-  const match = sql.trim().match(/^call \s*"{0,1}(\w*)/i)
-  return match && match[1]
+  // name delimited with "" allows any character
+  const match = sql.trim().match(/^call \s*(("(?<delimited>.+)")|(?<undelimited>\w+))\s*\(/i)
+  return match && (match.groups.undelimited || match.groups.delimited)
 }
 
 function _hdbGetResultForProcedure(rows, args, outParameters) {
@@ -83,14 +80,16 @@ function _hcGetResultForProcedure(stmt, resultSet, outParameters) {
     }
   }
   // merge table output params into scalar params
-  if (outParameters && outParameters.length) {
-    const params = outParameters.filter(md => !(md.PARAMETER_NAME in result))
+  const params = Array.isArray(outParameters) && outParameters.filter(md => !(md.PARAMETER_NAME in result))
+  if (params && params.length) {
     let i = 0
-    while (resultSet.next()) {
-      result[params[i].PARAMETER_NAME] = [resultSet.getValues()]
-      resultSet.nextResult()
-      i++
-    }
+    do {
+      const parameterName = params[i++].PARAMETER_NAME
+      result[parameterName] = []
+      while (resultSet.next()) {
+        result[parameterName].push(resultSet.getValues())
+      }
+    } while (resultSet.nextResult())
   }
   return result
 }
@@ -132,10 +131,9 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
 
     // procedure call metadata
     let outParameters
-    const isProcedureCall = _isProcedureCall(sql)
-    if (isProcedureCall) {
+    const procedureName = _getProcedureName(sql)
+    if (procedureName) {
       try {
-        const procedureName = _getProcedureName(sql)
         outParameters = await _getProcedureMetadata(procedureName, dbc)
       } catch (e) {
         LOG._warn && LOG.warn('Unable to fetch procedure metadata due to error:', e)
@@ -143,7 +141,7 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
     }
 
     // on @sap/hana-client, we need to use execQuery in case of calling procedures
-    stmt[isProcedureCall && dbc.name !== 'hdb' ? 'execQuery' : 'exec'](values, function (err, rows, ...args) {
+    stmt[procedureName && dbc.name !== 'hdb' ? 'execQuery' : 'exec'](values, function (err, rows, ...args) {
       if (err) {
         stmt.drop(() => {})
         err.query = sql
@@ -152,7 +150,7 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
       }
 
       let result
-      if (isProcedureCall) {
+      if (procedureName) {
         result =
           dbc.name === 'hdb'
             ? _hdbGetResultForProcedure(rows, args, outParameters)
@@ -183,7 +181,7 @@ function _executeSimpleSQL(dbc, sql, values) {
       values = Object.values(values)
     }
     // ensure that stored procedure with parameters is always executed as prepared
-    if (_hasValues(values) || _isProcedureCall(sql)) {
+    if (_hasValues(values) || !!_getProcedureName(sql)) {
       _executeAsPreparedStatement(dbc, sql, values, reject, resolve)
     } else {
       dbc.exec(sql, function (err, result) {

package/libx/_runtime/hana/pool.js

@@ -1,5 +1,5 @@
 const cds = require('../cds')
-const LOG = cds.log('hana|db|sql')
+const LOG = cds.log('pool|db')
 
 const { pool } = require('@sap/cds-foss')
 const hana = require('./driver')
@@ -225,6 +225,9 @@ async function resilientAcquire(pool, attempts = 1) {
   err.message =
     'Acquiring client from pool timed out. Please review your system setup, transaction handling, and pool configuration.'
   err._attempts = attempt
+  const { borrowed, pending, size, available, max } = pool
+  err._poolState = { borrowed, pending, size, available, max }
+  LOG._debug && LOG.debug(err)
   throw err
 }
 

package/libx/_runtime/remote/Service.js

@@ -41,7 +41,7 @@ const _buildPartialUrlFunctions = (url, data, params, kind = 'odata-v4') => {
   const funcParams = []
   const queryOptions = []
   // REVISIT: take params from params after importer fix (the keys should not be part of params)
-  for (const param in data) {
+  for (const param in _extractParamsFromData(data, params)) {
     if (kind === 'odata-v2') {
       funcParams.push(`${param}=${_setCorrectValue(param, data, params, kind)}`)
     } else {
@@ -54,7 +54,7 @@ const _buildPartialUrlFunctions = (url, data, params, kind = 'odata-v4') => {
     : `${url}(${funcParams.join(',')})?${queryOptions.join('&')}`
 }
 
-const _extractParamsFromData = (data, params) => {
+const _extractParamsFromData = (data, params = {}) => {
   return Object.keys(data).reduce((res, el) => {
     if (params[el]) Object.assign(res, { [el]: data[el] })
     return res
@@ -118,7 +118,7 @@ const _handleV2BoundActionFunction = (srv, def, req, event, kind) => {
   const params = []
   const data = req.data
   // REVISIT: take params from def.params, after importer fix (the keys should not be part of params)
-  for (const param in req.data) {
+  for (const param in _extractParamsFromData(req.data, def.params)) {
     params.push(`${param}=${formatVal(data[param], param, { elements: def.params }, kind)}`)
   }
   const keys = _buildKeys(req, this.kind)

package/libx/rest/RestAdapter.js

@@ -22,14 +22,14 @@ class RestAdapter extends express.Router {
 
     alias2ref(srv)
 
-    this.use(express.json())
-
     // pass srv-reated stuff to middlewares via req
     this.use('/', (req, res, next) => {
       req._srv = srv
       next()
     })
 
+    this.use(express.json())
+
     // check @requires as soon as possible (DoS)
     this.use('/', auth)
 

package/libx/rest/middleware/content.js

@@ -3,7 +3,11 @@ const UPDATE = { PUT: 1, PATCH: 1 }
 
 module.exports = (req, res, next) => {
   if (PPP[req.method]) {
-    if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
+    const contentType = req.headers['content-type'] && req.headers['content-type'].split(';')
+    if (
+      contentType &&
+      (!contentType[0].match(/^application\/json$/) || (typeof contentType[1] === 'string' && !contentType[1]))
+    ) {
       throw { statusCode: 415, code: '415', message: 'INVALID_CONTENT_TYPE_ONLY_JSON' }
     }
     if (UPDATE[req.method] && Array.isArray(req.body)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "5.9.3",
+  "version": "5.9.6",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [