@sap/cds 8.3.1 → 8.4.1

package/libx/_runtime/messaging/kafka.js

@@ -209,12 +209,18 @@ function _getKeyFn(topicOrEvent) {
 
 async function _getConfig(srv) {
   const caCerts = await _getCaCerts(srv)
+
+  const allBrokers =
+    srv.options.credentials.cluster?.['brokers.client_ssl'] ||
+    srv.options.credentials['cluster.public']?.['brokers.client_ssl']
+  const brokers = allBrokers.split(',')
+
   return {
     clientId: srv.appId,
     // logLevel: 4,
     connectionTimeout: 15000,
     authenticationTimeout: 15000,
-    brokers: srv.options.credentials.cluster?.['brokers.client_ssl'].split(','),
+    brokers,
     ssl: {
       rejectUnauthorized: true,
       ca: caCerts,

package/libx/_runtime/remote/utils/data.js

@@ -1,4 +1,5 @@
 const { big } = require('@sap/cds-foss')
+const cds = require('../../cds')
 
 // Code adopted from @sap/cds-odata-v2-adapter-proxy
 // https://www.w3.org/TR/xmlschema11-2/#nt-duDTFrag
@@ -68,31 +69,36 @@ const _convertValue = (ieee754Compatible, exponentialDecimals) => (value, elemen
   if (value == null) return value
 
   const type = _elementType(element)
-  if (type === 'cds.Boolean') {
-    if (value === 'true') {
-      value = true
-    } else if (value === 'false') {
-      value = false
-    }
-  } else if (type === 'cds.Integer' || type === 'cds.UInt8' || type === 'cds.Int16' || type === 'cds.Int32') {
-    value = parseInt(value, 10)
-  } else if (
-    type === 'cds.Decimal' ||
-    type === 'cds.DecimalFloat' ||
-    type === 'cds.Integer64' ||
-    type === 'cds.Int64'
-  ) {
-    const bigValue = big(value)
-    if (ieee754Compatible) {
-      // TODO test with arrayed => element.items.scale?
-      value = exponentialDecimals ? bigValue.toExponential(element.scale) : bigValue.toFixed(element.scale)
-    } else {
-      // OData V2 does not even mention ieee754Compatible, but V4 requires JSON number if ieee754Compatible=false
-      value = bigValue.toNumber()
+
+  if (cds.env.features.odata_v2_result_conversion) {
+    cds.utils.deprecated({ old: 'flag cds.env.features.odata_v2_result_conversion' })
+    if (type === 'cds.Boolean') {
+      if (value === 'true') {
+        value = true
+      } else if (value === 'false') {
+        value = false
+      }
+    } else if (type === 'cds.Integer' || type === 'cds.UInt8' || type === 'cds.Int16' || type === 'cds.Int32') {
+      value = parseInt(value, 10)
+    } else if (
+      type === 'cds.Decimal' ||
+      type === 'cds.DecimalFloat' ||
+      type === 'cds.Integer64' ||
+      type === 'cds.Int64'
+    ) {
+      const bigValue = big(value)
+      if (ieee754Compatible) {
+        // TODO test with arrayed => element.items.scale?
+        value = exponentialDecimals ? bigValue.toExponential(element.scale) : bigValue.toFixed(element.scale)
+      } else {
+        // OData V2 does not even mention ieee754Compatible, but V4 requires JSON number if ieee754Compatible=false
+        value = bigValue.toNumber()
+      }
+    } else if (type === 'cds.Double') {
+      value = parseFloat(value)
     }
-  } else if (type === 'cds.Double') {
-    value = parseFloat(value)
-  } else if (type === 'cds.Time') {
+  }
+  if (type === 'cds.Time') {
     const match = value.match(DurationRegex)
 
     if (match) {

package/libx/odata/ODataAdapter.js

@@ -73,13 +73,6 @@ class ODataAdapter extends HttpAdapter {
           if (req.method === 'POST' && req.headers['content-type']?.match(/multipart\/mixed/)) {
             return next()
           }
-          if (req.method in { POST: 1, PUT: 1, PATCH: 1 } && req.headers['content-type']) {
-            const parts = req.headers['content-type'].split(';')
-            // header ending with semicolon is not allowed
-            if (!parts[0].match(/^application\/json$/) || parts[1] === '') {
-              throw cds.error('415', { statusCode: 415, code: '415' }) // FIXME: use res.status
-            }
-          }
           // POST with empty body is allowed by actions
           if (req.method in { PUT: 1, PATCH: 1 }) {
             if (req.headers['content-length'] === '0') {
@@ -87,6 +80,18 @@ class ODataAdapter extends HttpAdapter {
               return
             }
           }
+          if (req.method in { POST: 1, PUT: 1, PATCH: 1 }) {
+            const contentType = req.headers['content-type'] ?? ''
+            let contentLength = req.headers['content-length']
+            contentLength = contentLength ? parseInt(contentLength) : 0
+
+            const parts = contentType.split(';')
+            // header ending with semicolon is not allowed
+            if ((contentLength && !parts[0].match(/^application\/json$/)) || parts[1] === '') {
+              res.status(415).json({ error: { message: 'Unsupported Media Type', statusCode: 415, code: '415' } })
+              return
+            }
+          }
 
           return jsonBodyParser(req, res, next)
         })
@@ -97,6 +102,11 @@ class ODataAdapter extends HttpAdapter {
         .head('*', (_, res) => res.sendStatus(405))
         .post('*', operation4(this), create4(this))
         .get('*', operation4(this), stream4(this), read4(this))
+        .use('*', (req, res, next) => {
+          // operations must have been handled above (POST or GET)
+          const { operation } = req._query.SELECT?.from.ref?.slice(-1)[0] || {}
+          next(operation ? { code: 405 } : undefined)
+        })
         .put('*', update4(this), create4(this, 'upsert'))
         .patch('*', update4(this), create4(this, 'upsert'))
         .delete('*', delete4(this))

package/libx/odata/middleware/batch.js

@@ -342,6 +342,8 @@ const _processBatch = async (srv, router, req, res, next, body, ct, boundary) =>
           : {}
       }
 
+      request.headers['content-type'] ??= req.headers['content-type']
+
       const { atomicityGroup } = request
 
       if (!atomicityGroup || atomicityGroup !== previousAtomicityGroup) {
@@ -459,12 +461,13 @@ const _processBatch = async (srv, router, req, res, next, body, ct, boundary) =>
 
 const _multipartBatch = async (srv, router, req, res, next) => {
   const boundary = getBoundary(req)
-  if (!boundary) return next(cds.error('No boundary found in Content-Type header', { code: 400 }))
+  if (!boundary) return next(new cds.error('No boundary found in Content-Type header', { code: 400 }))
 
   try {
     const { requests } = await multipartToJson(req.body, boundary)
     _processBatch(srv, router, req, res, next, { requests }, 'MULTIPART', boundary)
   } catch (e) {
+    // REVISIT: (how) handle multipart accepts?
     next(e)
   }
 }

package/libx/odata/middleware/error.js

@@ -3,11 +3,17 @@ const cds = require('../../../lib')
 const _log = require('../../_runtime/common/error/log')
 
 const { normalizeError, unwrapMultipleErrors } = require('../../_runtime/common/error/frontend')
+const { isStandardError } = require('../../_runtime/common/error/standardError')
 
 module.exports = () => {
   return function odata_error(err, req, res, next) {
     if (err == 401 || err.code == 401) return next(err) // speed up logins, at least temporary until we reviewed and eliminated overhead that may be involved below
 
+    // if error already has statusCode, it comes from express, don't throw
+    if (!err.statusCode && isStandardError(err) && cds.env.server.shutdown_on_uncaught_errors) {
+      return next(err)
+    }
+
     // REVISIT: keep?
     // log the error (4xx -> warn)
     _log(err)

package/libx/odata/middleware/operation.js

@@ -70,6 +70,14 @@ module.exports = adapter => {
       params = keysAndParams.params
     }
 
+    // validate method
+    if (
+      (operation.kind === 'action' && req.method !== 'POST') ||
+      (operation.kind === 'function' && req.method !== 'GET')
+    ) {
+      return next({ code: 405 })
+    }
+
     // payload & params
     const data = args || req.body
 

package/libx/odata/parse/afterburner.js

@@ -504,13 +504,12 @@ function _addKeys(columns, target) {
 function _removeDuplicateAsterisk(columns) {
   let hasExpandStar = false
 
-  for (let i = columns.length - 1; i > 0; i--) {
-    const column = columns[i]
-    if (!hasExpandStar && !column.ref && column?.expand?.[0] === '*') hasExpandStar = true
-    else if (hasExpandStar && !column.ref && column?.expand[0] === '*') {
-      columns.splice(i, 1)
+  columns.forEach((column, i) => {
+    if (!column.ref && column.expand?.[0] === '*') {
+      if (hasExpandStar) columns.splice(i, 1)
+      hasExpandStar = true
     }
-  }
+  })
 }
 
 const _structProperty = (ref, target) => {

package/libx/odata/parse/grammar.peggy

@@ -255,6 +255,7 @@
         // remove the prefix identifier
         if (e.ref && e.ref[0] === prefix) e.ref.shift()
         if (e.func) _removeLambdaPrefix(prefix, e.args)
+        if (e.xpr) _removeLambdaPrefix(prefix, e.xpr)
       }
       return elements
     }
@@ -551,7 +552,7 @@
 
   inner_lambda =
     p:( n:NOT? { return n ? [n] : [] } )(
-      OPEN xpr:inner_lambda CLOSE { p.push('(', ...xpr, ')') }
+      OPEN xpr:inner_lambda CLOSE { p.push({xpr}) }
       / comp:comparison { p.push(...comp) }
       / func:function { p.push(func) }
       / lambda:lambda { p.push(...lambda)}
@@ -561,9 +562,7 @@
     { return p }
 
   lambda_clause =
-    prefix:identifier ":" inner:inner_lambda {
-      return _removeLambdaPrefix(prefix, inner)
-    }
+    prefix:identifier ":" inner:inner_lambda { return _removeLambdaPrefix(prefix, inner) }
 
   any =
    "any" OPEN p:lambda_clause? CLOSE { return p }

package/libx/odata/parse/multipartToJson.js

@@ -1,11 +1,38 @@
+const cds = require('../../../')
+const LOG = cds.log('odata')
+
 const { parsers, freeParser, HTTPParser } = require('_http_common')
 const { PassThrough, Readable } = require('stream')
 const streamConsumers = require('stream/consumers')
+
 const { getBoundary } = require('../utils')
 
 const CRLF = '\r\n'
 
-const parseStream = async function* (body, boundary) {
+let MAX_BATCH_HEADER_SIZE
+
+const _normalizeSize = size => {
+  const match = size.match(/^([0-9]+)([\w ]+)$/i)
+  if (!match) return
+  let [, val, unit] = match
+  unit = unit.toLowerCase().trim()
+  switch (unit) {
+    case 'b':
+      return val
+    case 'kb':
+      return val * 1000
+    case 'kib':
+      return val * 1024
+    case 'mb':
+      return val * 1000 * 1000
+    case 'mib':
+      return val * 1024 * 1024
+    default:
+      return
+  }
+}
+
+const _parseStream = async function* (body, boundary) {
   const parser = parsers.alloc()
 
   try {
@@ -42,16 +69,17 @@ const parseStream = async function* (body, boundary) {
         body: streamConsumers.json(wrapper).catch(() => {})
       }
 
-      const dependencies = [...req.url.matchAll(/\$(\d+)/g)]
+      const dependencies = [...req.url.matchAll(/^\/?\$([\d.\-_~a-zA-Z]+)/g)]
       if (dependencies.length) {
         request.dependsOn = []
         for (const dependency of dependencies) {
-          const index = Number.parseInt(dependency[1], 10)
-          if (Number.isNaN(index)) continue
-          const i = requests.findIndex(r => r.content_id == index) //> prefer content-id
-          const id = requests[i > -1 ? i : index - 1].id
-          request.dependsOn.push(id)
-          request.url = request.url.replace(`$${index}`, `$${id}`)
+          const dependencyId = dependency[1]
+          const dependsOnRequest = requests.findLast(r => r.content_id == dependencyId) //> prefer content-id
+          if (!dependsOnRequest) {
+            continue
+          }
+          request.dependsOn.push(dependsOnRequest.id)
+          request.url = request.url.replace(`$${dependencyId}`, `$${dependsOnRequest.id}`)
         }
         if (request.url[1] === '$') request.url = request.url.slice(1)
       }
@@ -62,7 +90,24 @@ const parseStream = async function* (body, boundary) {
       requests.push(request)
     }
 
-    parser.initialize(HTTPParser.REQUEST, { type: 'HTTPINCOMINGMESSAGE' })
+    if (MAX_BATCH_HEADER_SIZE == null) {
+      MAX_BATCH_HEADER_SIZE = cds.env.odata.max_batch_header_size
+      if (typeof MAX_BATCH_HEADER_SIZE === 'string') {
+        // eslint-disable-next-line no-extra-boolean-cast
+        MAX_BATCH_HEADER_SIZE = !!Number(MAX_BATCH_HEADER_SIZE)
+          ? Number(MAX_BATCH_HEADER_SIZE)
+          : _normalizeSize(MAX_BATCH_HEADER_SIZE)
+      }
+      if (typeof MAX_BATCH_HEADER_SIZE !== 'number') {
+        LOG._warn &&
+          LOG.warn(
+            `Invalid value "${cds.env.odata.max_batch_header_size}" for configuration 'cds.odata.max_batch_header_size'. Using default value of 64 KiB.`
+          )
+        MAX_BATCH_HEADER_SIZE = 64 * 1024
+      }
+    }
+
+    parser.initialize(HTTPParser.REQUEST, { type: 'HTTPINCOMINGMESSAGE' }, MAX_BATCH_HEADER_SIZE)
 
     if (typeof body === 'string') body = [body]
 
@@ -153,9 +198,14 @@ module.exports = async (body, boundary) => {
 
   // This logic would ultimately be inside the json batch processor
   // for await supports both async iterator and normal iterators (e.g. any Array)
-  for await (const request of Readable.from(parseStream(body, boundary))) {
+  for await (const request of Readable.from(_parseStream(body, boundary))) {
     ret.requests.push(request)
   }
 
   return ret
 }
+
+module.exports._normalizeSize = _normalizeSize
+module.exports._clearMaxBatchHeaderSize = () => {
+  MAX_BATCH_HEADER_SIZE = null
+}