@sap/cds 8.8.0 → 8.8.1

package/CHANGELOG.md

@@ -4,6 +4,23 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 8.8.1 - 2025-03-07
+
+### Fixed
+
+- Requests violating `cds.odata.max_batch_header_size` are terminated with `431 Request Header Fields Too Large` instead of `400 - Bad Request`
+- `cds.parse.<x>` writing directly to `stdout`
+- Instance-based authorization for programmatic action invocations
+- Implicit function parameter calls with Array or Object values
+- OData: Throw an error by `POST` with payload that contains array of entity representation
+- `cds.validate` filters out annotations according to OData V4 spec
+- Crash for requests with invalid time data format
+- Add missing 'and' between conditions in object notation of QL
+- Multiline payloads in `$batch` sub requests
+- Instance-based authorization for modeling like `$user.<property> is null`
+- Respect `cds.odata.contextAbsoluteUrl` in new OData adapter 
+- `cds.odata.context_with_columns` also applies to singletons
+
 ## Version 8.8.0 - 2025-03-03
 
 ### Added

package/lib/compile/parse.js

@@ -29,7 +29,7 @@ exports.path = function path (x,...etc) {
   const [,head,tail] = /^([\w._]+)(?::(\w+))?$/.exec(x)||[]
   if (tail) return {ref:[head,...tail.split('.')]}
   if (head) return {ref:[head]}
-  const {SELECT} = cdsc.parse.cql('SELECT from '+x)
+  const {SELECT} = cdsc.parse.cql('SELECT from '+x, undefined, { messages: [] })
   return SELECT.from
 }
 

package/lib/ql/cds.ql-predicates.js

@@ -48,6 +48,8 @@ function _qbe (o, xpr=[]) {
   let count = 0
   for (let k in o) { const x = o[k]
 
+    if (k !== 'and' && k !== 'or' && count++) xpr.push('and')      //> add 'and' between conditions
+
     if (k.startsWith('not ')) { xpr.push('not'); k = k.slice(4) }
     switch (k) { // handle special cases like {and:{...}} or {or:{...}}
       case 'between':
@@ -83,7 +85,6 @@ function _qbe (o, xpr=[]) {
     }
 
     const a = cds.parse.ref(k)            //> turn key into a ref for the left side of the expression
-    if (count++) xpr.push('and')      //> add 'and' between conditions
     if (!x || typeof x !== 'object')  xpr.push (a,'=',{val:x})
     else if (is_array(x))             xpr.push (a,'in',{list:x.map(_val)})
     else if (x.SELECT || x.list)      xpr.push (a,'in',x)

package/lib/req/validate.js

@@ -48,7 +48,7 @@ class Validation {
   }
 
   unknown(e,d,input) {
-    if (e.startsWith('@')) return delete input[e] //> skip all annotations, like @odata.Type
+    if (e.match(/@.*\./)) return delete input[e] //> skip all annotations, like @odata.Type (according to OData spec annotations contain an "@" and a ".")
     d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
   }
 }

package/libx/_runtime/common/generic/auth/restrict.js

@@ -296,7 +296,7 @@ const isBoundToCollection = action =>
 const restrictBoundActionFunctions = async (req, resolvedApplicables, definition, srv) => {
   if (req.target?.actions?.[req.event] && !isBoundToCollection(req.target.actions[req.event])) {
     // Clone to avoid target modification, which would cause a different query
-    const query = cds.ql.clone(req.query) ?? SELECT.from(req.subject)
+    const query = req.query ? cds.ql.clone(req.query) : SELECT.one.from(req.subject)
     _addRestrictionsToRead({ query: query, target: req.target }, cds.model, resolvedApplicables)
     const result = await (cds.env.features.compat_restrict_bound ? srv : cds.tx(req)).run(query)
     if (!result || result.length === 0) {

package/libx/_runtime/common/generic/auth/utils.js

@@ -126,7 +126,8 @@ const resolveUserAttrs = (where, req) => {
             } else if (where[i + 2] && operators.has(where[i + 1])) {
               where.splice(i, 3, { val: '1' }, '=', { val: '2' })
             } else if (where[i + 1] === 'is') {
-              where.splice(i, where[i + 2] === 'not' ? 4 : 3, { val: '1' }, '=', { val: '2' })
+              val = null
+              break
             }
           } else val = val?.[attr]
         }

package/libx/odata/middleware/create.js

@@ -33,6 +33,10 @@ module.exports = (adapter, isUpsert) => {
 
     // payload & params
     const data = req.body
+    if (Array.isArray(data)) {
+      const msg = 'Only single entity representations are allowed'
+      throw Object.assign(new Error(msg), { statusCode: 400 })
+    }
     normalizeTimeData(data, model, target)
     const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)

package/libx/odata/parse/afterburner.js

@@ -415,6 +415,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
                   if (current.params && param in current.params) acc[param] = from._params[cur]
                   return acc
                 }, {})
+            ref[i].args = _getDataFromParams(ref[i].args, current) //resolve parameter if Object or Array
             _resolveImplicitFunctionParameters(ref[i].args)
           }
         }

package/libx/odata/parse/multipartToJson.js

@@ -116,28 +116,35 @@ const _parseStream = async function* (body, boundary) {
         .toString()
         .replace(/^--(.*)$/gm, (_, g) => `HEAD /${g} HTTP/1.1${g.slice(-2) === '--' ? CRLF : ''}`)
         // correct content-length for non-HEAD requests is inserted below
-        .replace(/content-length: \d+\r\n/gim, '')
+        .replace(/content-length: \d+\r\n/gim, '') // if content-length is given it should be taken
         .replace(/ \$/g, ' /$')
 
       // HACKS!!!
       // ensure URLs start with slashes
       changed = changed.replaceAll(/\r\n(GET|PUT|POST|PATCH|DELETE) (\w)/g, `\r\n$1 /$2`)
       // add content-length headers
-      let lastIndex = 0
-      changed = changed.replaceAll(/(\r\n){2,}(.+)[\r\n]+HEAD/g, (match, _, p1, index, original) => {
-        const part = original.substring(lastIndex, index)
-        lastIndex = index
-        return part.match(/(PUT|POST|PATCH)\s\//g) && !part.match(/content-length/i) && !p1.startsWith('HEAD /')
-          ? `${CRLF}content-length: ${Buffer.byteLength(p1)}${match}`
-          : match
-      })
+      changed = changed
+        .split(CRLF + CRLF)
+        .map((line, i, arr) => {
+          if (/^(PUT|POST|PATCH) /.test(line) && !/content-length/i.test(line)) {
+            const body = arr[i + 1].split('\r\nHEAD')[0]
+            if (body) return `${line}${CRLF}content-length: ${Buffer.byteLength(body)}`
+          }
+          return line
+        })
+        .join(CRLF + CRLF)
       // remove strange "Group ID" appendix
       changed = changed.split(`${CRLF}Group ID`)[0] + CRLF
 
       let ret = parser.execute(Buffer.from(changed))
 
       if (typeof ret !== 'number') {
-        if (ret.message === 'Parse Error') {
+        if (ret.code === 'HPE_HEADER_OVERFLOW') {
+          // same error conversion as node http server
+          ret.status = 431
+          ret.code = '431'
+          ret.message = 'Request Header Fields Too Large'
+        } else if (ret.message === 'Parse Error') {
           ret.statusCode = 400
           ret.message = `Error while parsing batch body at position ${ret.bytesParsed}: ${ret.reason}`
         }

package/libx/odata/utils/metadata.js

@@ -1,7 +1,28 @@
-const { cds2edm } = require('./index')
 const cds = require('../../../lib')
+const LOG = cds.log('odata')
+const { appURL } = require('../../_runtime/common/utils/vcap')
+const { cds2edm } = require('./index')
 const { where2obj } = require('../../_runtime/common/utils/cqn')
 
+const _getContextAbsoluteUrl = _req => {
+  const { contextAbsoluteUrl } = cds.env.odata
+  if (!contextAbsoluteUrl) return ''
+
+  if (typeof contextAbsoluteUrl === 'string') {
+    try {
+      const userDefinedURL = new URL(contextAbsoluteUrl, contextAbsoluteUrl).toString()
+      return (!userDefinedURL.endsWith('/') && `${userDefinedURL}/`) || userDefinedURL
+    } catch (e) {
+      e.message = `cds.odata.contextAbsoluteUrl could not be parsed as URL: ${contextAbsoluteUrl}`
+      LOG._warn && LOG.warn(e)
+    }
+  }
+  const reqURL = _req && _req.get && _req.get('host') && `${_req.protocol || 'https'}://${_req.get('host')}`
+  const baseAppURL = appURL || reqURL || ''
+  const serviceUrl = `${(_req && _req.baseUrl) || ''}/`
+  return baseAppURL && new URL(serviceUrl, baseAppURL).toString()
+}
+
 const _isNavToDraftAdmin = path => path.length > 1 && path[path.length - 1] === 'DraftAdministrativeData'
 
 const _lastValidRef = ref => {
@@ -14,7 +35,9 @@ const _lastValidRef = ref => {
 const _toBinaryKeyValue = value => `binary'${value.toString('base64')}'`
 
 const _odataContext = (query, options) => {
-  let path = '$metadata'
+  const { contextAbsoluteUrl, context_with_columns } = cds.env.odata
+
+  let path = _getContextAbsoluteUrl(query._req) + '$metadata'
   if (query._target.kind === 'service') return path
 
   const {
@@ -45,14 +68,14 @@ const _odataContext = (query, options) => {
   if (serviceName && !isType) edmName = edmName.replace(serviceName + '.', '').replace(/\./g, '_')
 
   // prepend "../" parent segments for relative path
-  if (ref.length > 1) path = '../'.repeat(ref.length - 1) + path
+  if (!contextAbsoluteUrl && ref.length > 1) path = '../'.repeat(ref.length - 1) + path
 
   path += edmName
 
   const lastRef = ref.at(-1)
 
   if (propertyAccess || isNavToDraftAdmin) {
-    if (propertyAccess) path = '../' + path
+    if (!contextAbsoluteUrl && propertyAccess) path = '../' + path
 
     const keyValuePairs = []
 
@@ -92,7 +115,7 @@ const _odataContext = (query, options) => {
     if (propertyAccess) path += '/' + propertyAccess
   }
 
-  if (cds.env.odata.context_with_columns && query.SELECT && !isSingleton && !propertyAccess) {
+  if (context_with_columns && query.SELECT && !propertyAccess) {
     const _calculateStringFromColumn = column => {
       if (column === '*') return
 

package/libx/odata/utils/normalizeTimeData.js

@@ -7,14 +7,17 @@ const _processorFn = elementInfo => {
   for (const category of plain.categories) {
     const { row, key } = elementInfo
     if (!(row[key] == null) && row[key] !== '$now') {
-      switch (category) {
-        case 'cds.DateTime':
-          row[key] = new Date(row[key]).toISOString().replace(/\.\d\d\d/, '')
-          break
-        case 'cds.Timestamp':
-          row[key] = normalizeTimestamp(row[key])
-          break
-        // no default
+      const dt = typeof row[key] === 'string' && new Date(row[key])
+      if (!isNaN(dt)) {
+        switch (category) {
+          case 'cds.DateTime':
+            row[key] = new Date(row[key]).toISOString().replace(/\.\d\d\d/, '')
+            break
+          case 'cds.Timestamp':
+            row[key] = normalizeTimestamp(row[key])
+            break
+          // no default
+        }
       }
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "8.8.0",
+  "version": "8.8.1",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [