@sap/eslint-plugin-cds 3.1.0 → 3.1.1

package/CHANGELOG.md

@@ -6,6 +6,23 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## [3.1.1] - 2024-10-08
+
+### Changed
+
+- `no-db-keywords` is no longer part of the 'recommended' rules,
+  as the cds-compiler takes care of quoting SQL keywords, if they are used as identifiers. 
+
+### Fixed
+
+- `auth-restrict-grant-service` can now handle invalid values for `@restrict`
+- `auth-use-requires` now handles `null` values for `@restrict.grant.to`
+- `auth-valid-restrict-to` is now more robust against invalid properties such as `__proto__`
+  and reduces the number of false positives
+- `auth-valid-restrict-where` now handles and reports invalid value `@restrict: [{where: null}]`
+- `auth-no-empty-restrictions` now handles invalid value `@restrict: [null]`
+
+
 ## [3.1.0] - 2024-09-26
 
 ### Added

package/lib/conf/recommended.js

@@ -9,7 +9,6 @@ module.exports = {
   '@sap/cds/auth-valid-restrict-keys': 'warn',
   '@sap/cds/auth-valid-restrict-to': 'warn',
   '@sap/cds/auth-valid-restrict-where': 'warn',
-  '@sap/cds/no-db-keywords': 'warn',
   '@sap/cds/no-dollar-prefixed-names': 'warn',
   '@sap/cds/no-join-on-draft': 'warn',
   '@sap/cds/sql-cast-suggestion': 'warn',

package/lib/rules/auth-no-empty-restrictions.js

@@ -58,7 +58,9 @@ function isEmptyRestriction(obj) {
     return obj === ''
   if (Array.isArray(obj))
     return obj.length === 0 || obj.some(isEmptyRestriction)
-  if (typeof obj === 'object')
-    return isEmptyRestriction(obj.to)
+  if (typeof obj === 'object') {
+    // handle `null` as non-empty (i.e. ignore)
+    return obj && isEmptyRestriction(obj.to)
+  }
   return false
 }

package/lib/rules/auth-restrict-grant-service.js

@@ -22,29 +22,30 @@ module.exports = {
       service: checkRestrictGrant
     }
 
-    function checkRestrictGrant (d) {
-      const node = context.getNode(d)
-      const file = d.$location.file
-      if (d['@restrict']) {
-        for (const entry of d['@restrict']) {
-          if (Object.keys(entry).includes('grant')) {
-            const grantValue = entry.grant
-            const messageId = 'limitedGrant'
-            const data = { kind: d.kind, name: d.name }
-            switch (typeof grantValue) {
-            case 'string':
-              if (grantValue !== '*') {
-                context.report({ messageId, data, node, file })
-              }
-              break
-            case 'object':
-              if (grantValue.length > 1 || grantValue[0] !== '*') {
-                context.report({ messageId, data, node, file })
-              }
-              break
-            }
+    function checkRestrictGrant(def) {
+      if (!Array.isArray(def['@restrict']))
+        return
+
+      const node = context.getNode(def)
+      const file = def.$location.file
+      const data = { kind: def.kind, name: def.name }
+
+      for (const entry of def['@restrict']) {
+        if (entry?.grant !== undefined) {
+
+          if (typeof entry.grant === 'string') {
+            if (entry.grant !== '*')
+              context.report({ messageId: 'limitedGrant', data, node, file })
+
+          } else if (Array.isArray(entry.grant)) {
+            if (entry.grant.length === 0 || !entry.grant.some(val => val === '*'))
+              context.report({ messageId: 'limitedGrant', data, node, file })
+
+          } else {
+            // invalid grant value; ignored by this rule
           }
         }
+
       }
     }
   }

package/lib/rules/auth-use-requires.js

@@ -24,23 +24,25 @@ module.exports = {
     }
 
     function checkRestrict (e) {
-      if (!e?.['@restrict'] || !Array.isArray(e['@restrict']))
+      if (!Array.isArray(e?.['@restrict']))
         return
 
       for (const entry of e['@restrict']) {
         // Scenario: `@restrict: [ { to: 'Foo', grant: '*' } ]`
         // There must be no `where` condition, as otherwise it wouldn't be equivalent
-        // to `@requires`.
+        // to `@requires`.  `to` must not be `null`, as `@requires: null` is not the
+        // same as `@restrict: [{to:null}]`.
         // See https://cap.cloud.sap/docs/guides/security/authorization#supported-combinations-with-cds-resources
         // for documentation.
-        if (entry?.to !== undefined && (entry.grant === '*' || !entry.grant) && entry.where === undefined) {
+        if (entry?.to !== undefined && entry.to !== null &&
+           (entry.grant === '*' || !entry.grant) && entry.where === undefined) {
           context.report({
             messageId: 'useRequires',
             data: { kind: e.kind, name: e.name },
             node: context.getNode(e),
             file: e.$location.file
           })
-          return // max one report per annotation
+          break // max one report per annotation
         }
       }
     }

package/lib/rules/auth-valid-restrict-grant.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { findFuzzy, isEmptyString, isEmptyObject, isStringInArray } = require('../utils/rules')
+const { findFuzzy } = require('../utils/rules')
 
 // See https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation
 // The combination of these events is equivalent to the virtual 'WRITE' event.
@@ -40,7 +40,7 @@ module.exports = {
     }
 
     function checkRestrictGrant(e) {
-      if (!e?.['@restrict'] || !Array.isArray(e['@restrict']))
+      if (!Array.isArray(e?.['@restrict']))
         return
 
       const node = context.getNode(e)

package/lib/rules/auth-valid-restrict-keys.js

@@ -24,7 +24,7 @@ module.exports = {
   },
   create (context) {
     return {
-      any: checkRestrictKeys
+      any: checkRestrictKeys,
     }
 
     function checkRestrictKeys (e) {
@@ -32,7 +32,7 @@ module.exports = {
         return
 
       for (const entry of e['@restrict']) {
-        if (typeof entry === 'object' && !isEmptyObject(entry)) {
+        if (entry && typeof entry === 'object' && !isEmptyObject(entry)) {
           for (const key of Object.keys(entry)) {
             if (VALID_RESTRICT_PROPERTIES.includes(key))
               continue

package/lib/rules/auth-valid-restrict-to.js

@@ -1,8 +1,6 @@
 'use strict'
 
-const { isEmptyString, isStringInArray, findFuzzy, isEmptyObject } = require('../utils/rules')
-
-const VALID_PSEUDO_ROLES = ['authenticated-user', 'system-user', 'any']
+const VALID_PSEUDO_ROLES = new Set(['authenticated-user', 'system-user', 'internal-user', 'any'])
 
 module.exports = {
   meta: {
@@ -14,126 +12,72 @@ module.exports = {
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/meta/auth-valid-restrict-to',
     },
     messages: {
-      invalidItem: "Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?",
-      missingRole: "Missing role on '{{name}}' for `@restrict.to`.",
-      missingRoles: "Missing roles on '{{name}}' for `@restrict.to`."
+      invalidType: 'Invalid type for value of `@restrict.to`. Must either be string or array of strings.',
+      pseudoRoleTypo: "Did you mean pseudo-role '{{valid}}' instead of '{{role}}'?",
+      any: 'Role \'any\' overrides all other roles. Replace by \'any\' only.'
     },
     type: 'problem',
     model: 'inferred'
   },
   create (context) {
     return {
-      entity: checkRestrictTo
+      entity: checkRestrictTo,
+      service: checkRestrictTo,
+      action: checkRestrictTo,
+      function: checkRestrictTo,
     }
 
-    function checkRestrictTo (e) {
-      const USER_ROLES = []
-      const model = context.getModel()
-      if (!model)
+    function checkRestrictTo(def) {
+      // TODO: This check also applies to `@requires`. Test that.
+      if (!Array.isArray(def?.['@restrict']))
         return
 
-      model.foreach('entity', e => {
-        if (e['@restrict']) {
-          e['@restrict'].forEach(p => {
-            if (p.to) {
-              switch (typeof p.to) {
-              case 'string':
-                if (p.to !== p.to.toLowerCase() && !USER_ROLES.includes(p.to)) {
-                  USER_ROLES.push(p.to)
-                }
-                break
-              case 'object':
-                for (const r in p.to) {
-                  if (r !== r.toLowerCase() && !USER_ROLES.includes(r)) {
-                    USER_ROLES.push(r)
-                  }
-                }
-              }
-            }
-          })
-        }
-      })
-      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES)
-
-      if (e['@restrict']) {
-        const node = context.getNode(e)
-        const file = e.$location.file
+      const node = context.getNode(def)
+      const file = def.$location.file
+      def['@restrict'].forEach(checkRestrictEntry)
 
-        // TODO: For hierachies, check whether service restriction exists
-        // const { prefix } = splitDefName(e)
-        // const prefixSplit = prefix.split('.')
-        // const serviceName = prefixSplit[prefixSplit.length - 1]
-        // const services = model.services
-        // let grantAllTo;
-        // Object.values(services).map((s) => {
-        //   if (s.name === serviceName && s['@requires']) {
-        //     grantAllTo = s['@requires'];
-        //   }
-        // })
-
-        for (const entry of e['@restrict']) {
-          if (Object.keys(entry).includes('to')) {
-            const toValue = entry.to
+      function checkRestrictEntry(entry) {
+        if (entry?.to !== undefined) {
+          const roles = getUserRoles(entry)
+          if (roles.every(checkRole)) {
+            // all roles are valid
+            if (roles.length > 1 && roles.includes('any'))
+              context.report({ messageId: 'any', node, file })
+          }
+        }
+      }
 
-            switch (typeof toValue) {
-            case 'string': {
-              if (isEmptyString(toValue)) {
-                context.report({
-                  messageId: 'missingRole',
-                  data: { name: e.name },
-                  node,
-                  file,
-                })
-              } else {
-                const isPseudoRole = entry.to && entry.to === entry.to.toLowerCase()
-                if (!isStringInArray(toValue, ROLES, isPseudoRole)) {
-                  const candidates = findFuzzy(toValue, ROLES.sort())
-                  context.report({
-                    messageId: 'invalidItem',
-                    data: { invalid: toValue, candidates },
-                    node,
-                    file,
-                  })
-                }
-              }
-              break
-            }
+      function getUserRoles(entry) {
+        if (typeof entry.to === 'string') {
+          return [ entry.to ]
+        }
+        else if (Array.isArray(entry.to)) {
+          return entry.to
+        }
+        else {
+          // neither string nor array: report invalid type
+          context.report({ messageId: 'invalidType', node, file })
+          return []
+        }
+      }
 
-            case 'object':
-              if (isEmptyObject(toValue)) {
-                context.report({
-                  messageId: 'missingRoles',
-                  data: { name: e.name },
-                  node,
-                  file,
-                })
-              } else {
-                // If values contain 'any', 'any' only is enough
-                if (toValue.length > 1 && toValue.includes('any')) {
-                  context.report({
-                    messageId: 'invalidItem',
-                    data: { invalid: `[${toValue}]`, candidates: ['["any"]'] },
-                    node,
-                    file,
-                  })
-                }
-                toValue.forEach(value => {
-                  if (!ROLES.includes(value)) {
-                    const candidates = findFuzzy(value, ROLES.sort(), undefined, false, 2)
-                    if (candidates.length > 0) {
-                      context.report({
-                        messageId: 'invalidItem',
-                        data: { invalid: value, candidates },
-                        node,
-                        file,
-                      })
-                    }
-                  }
-                })
-              }
-              break
-            }
+      function checkRole(role) {
+        if (typeof role !== 'string') {
+          context.report({ messageId: 'invalidType', node, file })
+          return false
+        }
+        else if (role !== '') {
+          // empty roles handled by auth-no-empty-restrictions
+          const roleLowercase = role.toLowerCase()
+          if (roleLowercase !== role && VALID_PSEUDO_ROLES.has(roleLowercase)) {
+            context.report({
+              messageId: 'pseudoRoleTypo',
+              data: { role, valid: roleLowercase },
+              node, file,
+            })
+            return false
           }
+          return true
         }
       }
     }

package/lib/rules/auth-valid-restrict-where.js

@@ -13,7 +13,8 @@ module.exports = {
     },
     severity: 'error',
     messages: {
-      CompilationFailed: 'Invalid `where` expression, CDS compilation failed.',
+      compilationFailed: 'Invalid `where` expression, CDS compilation failed.',
+      invalidType: 'Invalid `where` type. Must be a string or expression.',
     },
     type: 'problem',
     model: 'inferred'
@@ -32,22 +33,35 @@ module.exports = {
         return
 
       for (const entry of def['@restrict']) {
-        if (entry.where) {
+        if (entry?.where !== undefined) {
           // TODO: Check return value (where xpr)
           checkAndCompileWhereExpression(entry.where)
         }
       }
 
       function checkAndCompileWhereExpression(where) {
+        if (where === null || Array.isArray(where) ||
+           (typeof where !== 'object' && typeof where !== 'string')) {
+          context.report({
+            messageId: 'invalidType',
+            node: context.getNode(def),
+            file: def.$location.file,
+          })
+          return null
+        }
+
         try {
           const compileOptions = {}
           return typeof where === 'string'
             ? cds.parse.expr(where, compileOptions)
             : where
 
-        } catch {
+        } catch(e) {
+          if (e.code !== 'ERR_CDS_COMPILATION_FAILURE')
+            throw e
+
           context.report({
-            messageId: 'CompilationFailed',
+            messageId: 'compilationFailed',
             node: context.getNode(def),
             file: def.$location.file,
           })

package/lib/rules/sql-null-comparison.js

@@ -17,7 +17,7 @@ module.exports = {
     type: 'problem',
     model: 'parsed',
     messages: {
-      nullComparison: `Comparisons against 'null' are always false. Did you mean 'is not null'?`,
+      nullComparison: `Comparisons against 'null' are always null. Did you mean 'is not null'?`,
     }
   },
   create(context) {

package/lib/utils/findFuzzy.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const cache = {}
+const cache = new Map()
 
 /**
  * Levenshtein distance algorithm using recursive calls and cache
@@ -65,9 +65,9 @@ module.exports = function findFuzzy(input, list, log = null, keepCase = false, t
 }
 
 function levDistance(a, b) {
-  if (cache[a] && cache[a][b]) {
-    return cache[a][b]
-  }
+  const cachedObj = cache.get(a)?.get(b)
+  if (cachedObj)
+    return cachedObj
 
   if (a.length === 0) {
     return addToCache(a, b, b.length)
@@ -93,7 +93,8 @@ function levDistance(a, b) {
 }
 
 function addToCache(a, b, value) {
-  cache[a] = cache[a] || {}
-  cache[a][b] = value
+  if (!cache.has(a))
+    cache.set(a, new Map())
+  cache.get(a).set(b, value)
   return value
 }

package/lib/utils/rules.js

@@ -60,7 +60,7 @@ module.exports = {
    * @param {string} value
    * @returns {boolean}
    */
-  isEmptyString: function (value) {
+  isEmptyString(value) {
     return value?.trim() === ''
   },
 
@@ -71,7 +71,7 @@ module.exports = {
       }
       return true
     }
-    if (typeof value !== 'object' || (typeof value === 'object' && !isEmpty(value)) ||
+    if (!value || typeof value !== 'object' || (typeof value === 'object' && !isEmpty(value)) ||
     (typeof value === 'object' && value && value.length > 0)) {
       return false
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/eslint-plugin-cds",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "ESLint plugin including recommended SAP Cloud Application Programming model and environment rules",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [