bunsane 0.2.10 → 0.3.0

package/query/Query.ts

@@ -12,6 +12,7 @@ import { getMetadataStorage } from "../core/metadata";
 import { shouldUseDirectPartition } from "../core/Config";
 import type { SQL } from "bun";
 import type { ComponentConstructor, TypedEntity, ComponentRecord } from "../types/query.types";
+import { assertComponentTableName, assertFieldPath } from "./SqlIdentifier";
 
 export type FilterOperator = "=" | ">" | "<" | ">=" | "<=" | "!=" | "LIKE" | "ILIKE" | "IN" | "NOT IN" | string;
 
@@ -338,7 +339,13 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
             throw new Error(`Component ${component.name} not registered`);
         }
 
-        const tableName = ComponentRegistry.getPartitionTableName(typeId);
+        // Validate the resolved partition table name against the component
+        // table allow-list before passing to pg_class lookup. Although
+        // `relname` here is a bound parameter ($1) and cannot inject SQL
+        // directly, we still reject unexpected names so a registry
+        // poisoning bug cannot query arbitrary tables.
+        const rawTableName = ComponentRegistry.getPartitionTableName(typeId);
+        const tableName = rawTableName ? assertComponentTableName(rawTableName, 'estimatedCount.tableName') : null;
         const dbConn = this.getDb();
 
         // Use PostgreSQL's statistics for fast count estimate
@@ -557,10 +564,17 @@ class Query<TComponents extends readonly ComponentConstructor[] = []> {
         // Execute the DAG to get the base query
         const result = dag.execute(this.context);
 
-        // Determine the component table name
-        const componentTableName = shouldUseDirectPartition()
+        // Determine the component table name. Validate against allow-list so
+        // a poisoned registry cannot inject SQL through the embedded name.
+        const rawComponentTableName = shouldUseDirectPartition()
             ? (ComponentRegistry.getPartitionTableName(typeId) || 'components')
             : 'components';
+        const componentTableName = assertComponentTableName(rawComponentTableName, 'doAggregate.componentTableName');
+
+        // Validate the field path — each dotted segment must be a safe
+        // identifier. Without this, a caller-supplied field with quote or
+        // `->` metacharacters would corrupt the JSON path expression (C08).
+        assertFieldPath(field, 'doAggregate.field');
 
         // Build the JSON path for the field
         let jsonPath: string;
@@ -641,6 +655,19 @@ AND c.deleted_at IS NULL`;
      */
     @timed("Query.exec")
     public async exec(): Promise<TypedEntity<TComponents>[]> {
+        // Apply default LIMIT so unbounded queries cannot load entire tables
+        // into memory. Configurable via BUNSANE_DEFAULT_QUERY_LIMIT, 0 to
+        // disable. When the default is applied without an explicit .take(),
+        // warn once at execution so developers notice runaway queries
+        // (H-QUERY-1).
+        if (this.context.limit === null || this.context.limit === undefined) {
+            const envLimit = parseInt(process.env.BUNSANE_DEFAULT_QUERY_LIMIT ?? '10000', 10);
+            if (envLimit > 0) {
+                this.context.limit = envLimit;
+                logger.warn({ scope: 'Query.exec', defaultLimit: envLimit }, 'Query executed without explicit .take() — applying framework default LIMIT. Call .take(N) to suppress this warning.');
+            }
+        }
+
         return new Promise<TypedEntity<TComponents>[]>((resolve, reject) => {
             // Add timeout to prevent hanging queries
             const timeout = setTimeout(() => {

package/query/SqlIdentifier.ts

@@ -0,0 +1,105 @@
+/**
+ * SQL identifier sanitization helpers.
+ *
+ * These helpers prevent SQL injection when interpolating caller-supplied or
+ * metadata-derived strings into SQL via `db.unsafe(...)` or template literals.
+ * Parameter binding (`$1`, `$2`) is always preferred for values, but column
+ * names, table names, ORDER BY fields, and JSON path segments cannot be
+ * parameterized — they are sanitized against a strict allow-list instead.
+ *
+ * Ticket C08.
+ */
+
+/** Matches a safe identifier: letter/underscore followed by letters/digits/underscores. */
+const IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+/** Matches a safe component table name: `components` or `components_<ident>`. */
+const COMPONENT_TABLE_RE = /^components(?:_[a-z0-9_]+)?$/;
+
+/**
+ * PostgreSQL text-search languages supported by `to_tsvector(config, ...)`.
+ * Extend as needed for deployments with additional dictionaries installed.
+ */
+const ALLOWED_TS_LANGUAGES = new Set<string>([
+    'simple',
+    'english',
+    'french',
+    'german',
+    'spanish',
+    'italian',
+    'portuguese',
+    'dutch',
+    'russian',
+    'swedish',
+    'norwegian',
+    'danish',
+    'finnish',
+    'turkish',
+    'hungarian',
+    'arabic',
+    'indonesian',
+    'irish',
+    'lithuanian',
+    'nepali',
+    'romanian',
+    'tamil',
+    'yiddish',
+]);
+
+/**
+ * Assert a string is a safe SQL identifier (column name, alias). Throws
+ * `InvalidIdentifierError` if not.
+ */
+export function assertIdentifier(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !IDENT_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a string is a safe component table name (e.g. `components`,
+ * `components_user`). Throws if not.
+ */
+export function assertComponentTableName(value: unknown, context: string): string {
+    if (typeof value !== 'string' || !COMPONENT_TABLE_RE.test(value)) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value;
+}
+
+/**
+ * Assert a dotted JSON field path is safe. Each segment must be a valid
+ * identifier. Empty paths / empty segments are rejected.
+ */
+export function assertFieldPath(value: unknown, context: string): string {
+    if (typeof value !== 'string' || value.length === 0) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    const parts = value.split('.');
+    for (const p of parts) {
+        if (!IDENT_RE.test(p)) {
+            throw new InvalidIdentifierError(context, value);
+        }
+    }
+    return value;
+}
+
+/**
+ * Assert a text-search language is in the allow-list. Defaults to `simple`
+ * when undefined (behavior preserved from the prior implementation).
+ */
+export function assertTsLanguage(value: unknown, context: string = 'tsLanguage'): string {
+    if (value === undefined || value === null) return 'simple';
+    if (typeof value !== 'string' || !ALLOWED_TS_LANGUAGES.has(value.toLowerCase())) {
+        throw new InvalidIdentifierError(context, String(value));
+    }
+    return value.toLowerCase();
+}
+
+export class InvalidIdentifierError extends Error {
+    constructor(context: string, value: string) {
+        super(`Invalid SQL identifier in ${context}: ${JSON.stringify(value)}`);
+        this.name = 'InvalidIdentifierError';
+    }
+}

package/query/builders/FullTextSearchBuilder.ts

@@ -8,6 +8,7 @@
 import type { FilterBuilder, FilterBuilderOptions } from "../FilterBuilder";
 import type { QueryFilter } from "../QueryContext";
 import type { QueryContext } from "../QueryContext";
+import { assertTsLanguage, assertFieldPath } from "../SqlIdentifier";
 
 /**
  * Full-text search filter value interface
@@ -68,12 +69,16 @@ export const fullTextSearchBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -93,7 +98,7 @@ export const fullTextSearchBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     return {
         sql: `${vectorSql} @@ ${querySql}`,
@@ -120,12 +125,16 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
     const value = filter.value as FullTextFilterValue;
     const { query, language = 'english', type = 'plain' } = value;
 
+    // Validate identifiers (C08).
+    const safeLanguage = assertTsLanguage(language, 'fullTextSearchWithRankBuilder.language');
+    assertFieldPath(filter.field, 'fullTextSearchWithRankBuilder.field');
+
     // Build the text search vector from the specified field
     const fieldPath = filter.field.includes('.')
         ? filter.field.split('.').map(p => `'${p}'`).join('->')
         : `'${filter.field}'`;
 
-    const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+    const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
     // Choose the appropriate query function based on type
     let queryFunction: string;
@@ -145,7 +154,7 @@ export const fullTextSearchWithRankBuilder: FilterBuilder = (
             break;
     }
 
-    const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+    const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
     // Include ranking in the condition (can be used for ordering)
     const rankSql = `ts_rank(${vectorSql}, ${querySql})`;
@@ -187,16 +196,20 @@ export function createFullTextSearchBuilder(
     language: string = 'english',
     searchType: 'plain' | 'phrase' | 'web' | 'tsquery' = 'plain'
 ): { builder: FilterBuilder; options: FilterBuilderOptions } {
+    // Validate the language at factory-construction time so callers get an
+    // immediate error on invalid input rather than a runtime SQL error.
+    const safeLanguage = assertTsLanguage(language, 'createFullTextSearchBuilder.language');
     const builder: FilterBuilder = (filter: QueryFilter, alias: string, context: QueryContext) => {
         const value = filter.value as FullTextFilterValue;
         const query = value.query;
+        assertFieldPath(filter.field, 'createFullTextSearchBuilder.field');
 
         // Build the text search vector from the specified field
         const fieldPath = filter.field.includes('.')
             ? filter.field.split('.').map(p => `'${p}'`).join('->')
             : `'${filter.field}'`;
 
-        const vectorSql = `to_tsvector('${language}', ${alias}.data->${fieldPath})`;
+        const vectorSql = `to_tsvector('${safeLanguage}', ${alias}.data->${fieldPath})`;
 
         // Choose the appropriate query function based on type
         let queryFunction: string;
@@ -216,7 +229,7 @@ export function createFullTextSearchBuilder(
                 break;
         }
 
-        const querySql = `${queryFunction}('${language}', $${context.addParam(query)})`;
+        const querySql = `${queryFunction}('${safeLanguage}', $${context.addParam(query)})`;
 
         return {
             sql: `${vectorSql} @@ ${querySql}`,

package/service/ServiceRegistry.ts

@@ -1,5 +1,5 @@
 import type BaseService from "./Service";
-import ApplicationLifecycle, {ApplicationPhase} from "../core/ApplicationLifecycle";
+import ApplicationLifecycle, {ApplicationPhase, type PhaseChangeEvent} from "../core/ApplicationLifecycle";
 import { generateGraphQLSchemaV2 } from "../gql";
 import { GraphQLSchema } from "graphql";
 
@@ -8,28 +8,41 @@ class ServiceRegistry {
 
     private services: Map<string, BaseService> = new Map();
     private schema: GraphQLSchema | null = null;
+    private phaseListener: ((event: PhaseChangeEvent) => void) | null = null;
 
 
     constructor() {
-        
+
     }
 
     public init() {
-        ApplicationLifecycle.addPhaseListener((event) => {
+        // Remove previous listener if re-init (tests) to prevent listener stacking.
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+        }
+        this.phaseListener = (event: PhaseChangeEvent) => {
             switch(event.detail) {
                 case ApplicationPhase.SYSTEM_REGISTERING: {
                     const servicesArray = Array.from(this.services.values());
-                    
-                    const result = generateGraphQLSchemaV2(servicesArray, { 
-                        enableArchetypeOperations: false 
+
+                    const result = generateGraphQLSchemaV2(servicesArray, {
+                        enableArchetypeOperations: false
                     });
-                    
+
                     this.schema = result.schema;
                     ApplicationLifecycle.setPhase(ApplicationPhase.SYSTEM_READY);
                     break;
                 };
             }
-        });
+        };
+        ApplicationLifecycle.addPhaseListener(this.phaseListener);
+    }
+
+    public dispose(): void {
+        if (this.phaseListener) {
+            ApplicationLifecycle.removePhaseListener(this.phaseListener);
+            this.phaseListener = null;
+        }
     }
 
 

package/storage/LocalStorageProvider.ts

@@ -1,4 +1,6 @@
 import fs from "fs";
+import { pipeline } from "stream/promises";
+import { Readable } from "stream";
 import path from "path";
 import { StorageProvider } from "./StorageProvider";
 import type { UploadConfiguration, StorageResult, FileMetadata } from "../types/upload.types";
@@ -51,9 +53,16 @@ export class LocalStorageProvider extends StorageProvider {
                 fs.mkdirSync(uploadDir, { recursive: true });
             }
 
-            // Write file to disk
-            const buffer = Buffer.from(await file.arrayBuffer());
-            fs.writeFileSync(fullPath, buffer);
+            // Stream File → disk to avoid full in-memory buffering of large uploads.
+            const writeStream = fs.createWriteStream(fullPath);
+            try {
+                const webStream = file.stream() as ReadableStream<Uint8Array>;
+                const nodeStream = Readable.fromWeb(webStream as any);
+                await pipeline(nodeStream, writeStream);
+            } catch (streamError) {
+                try { fs.unlinkSync(fullPath); } catch { /* best-effort cleanup */ }
+                throw streamError;
+            }
 
             // Generate URL
             const url = this.buildUrl(relativePath);

package/storage/S3StorageProvider.ts

@@ -213,11 +213,11 @@ export class S3StorageProvider extends StorageProvider {
         const destKey = this.resolveKey(destinationPath);
 
         try {
-            const [data, stat] = await Promise.all([
-                this.client.file(sourceKey).arrayBuffer(),
-                this.client.stat(sourceKey),
-            ]);
-            await this.client.write(destKey, data, {
+            const stat = await this.client.stat(sourceKey);
+            const sourceFile = this.client.file(sourceKey);
+            // Pass the S3File directly so Bun streams bytes rather than loading
+            // the entire object into memory (previously `arrayBuffer()`).
+            await this.client.write(destKey, sourceFile, {
                 type: stat.type,
                 acl: this.acl,
             });
@@ -226,7 +226,7 @@ export class S3StorageProvider extends StorageProvider {
         } catch (error) {
             const msg =
                 error instanceof Error ? error.message : "Unknown error";
-            logger.error({ sourceKey, destKey }, "Failed to copy file");
+            logger.error({ sourceKey, destKey, err: msg }, "Failed to copy file");
             return false;
         }
     }

package/tests/e2e/http.test.ts

@@ -76,8 +76,12 @@ describe("E2E HTTP Routes", () => {
 
     it("OPTIONS /health returns 204 when CORS configured", async () => {
         app.setCors({ origin: "*" });
-        // Re-compose middleware chain not needed — CORS headers are added per-request in handleRequest
-        const res = await fetch(`${BASE}/health`, { method: "OPTIONS" });
+        // Preflight must carry Origin header per CORS spec; otherwise the
+        // server emits no Access-Control-Allow-Origin (no `|| '*'` fallback).
+        const res = await fetch(`${BASE}/health`, {
+            method: "OPTIONS",
+            headers: { Origin: "https://client.example" },
+        });
         expect(res.status).toBe(204);
         expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
     });

package/tests/integration/entity/Entity.saveTimeout.test.ts

@@ -0,0 +1,110 @@
+/**
+ * Integration tests for Entity.save timeout and cancellation behavior.
+ *
+ * Regression coverage for the production incident where Entity.save's wall-
+ * clock timeout rejected the outer Promise but left the underlying Bun SQL
+ * transaction mid-flight. Under pgbouncer transaction-mode pooling this
+ * leaked backend PostgreSQL sessions into `idle in transaction` state,
+ * exhausting the pool.
+ *
+ * These tests prove the invariants the fix must uphold:
+ *   1. An aborted save leaves no partial rows — Bun SQL's transaction callback
+ *      throws, auto-ROLLBACK fires, backend connection is released.
+ *   2. The connection pool stays healthy after repeated aborts — subsequent
+ *      saves on fresh entities still succeed.
+ *   3. A save with no abort still commits normally.
+ *
+ * The wall-clock DB_QUERY_TIMEOUT path is module-cached at import time so it
+ * is not exercised here directly. Manual verification on a real Postgres +
+ * pgbouncer stack (with query_wait_timeout short enough to fire) should
+ * confirm pg_stat_activity shows no `idle in transaction` backends after
+ * this test suite runs. See the handoff doc (2026-04-18) for the repro steps.
+ */
+import { describe, test, expect, beforeAll } from 'bun:test';
+import { Entity } from '../../../core/Entity';
+import db from '../../../database';
+import { TestUser } from '../../fixtures/components';
+import { createTestContext, ensureComponentsRegistered } from '../../utils';
+
+describe('Entity.save timeout and cancellation', () => {
+    const ctx = createTestContext();
+
+    beforeAll(async () => {
+        await ensureComponentsRegistered(TestUser);
+    });
+
+    test('aborted doSave does not leave partial rows (transaction rolls back)', async () => {
+        const entity = ctx.tracker.create();
+        entity.add(TestUser, { name: 'aborted', email: 'a@example.com', age: 1 });
+
+        const controller = new AbortController();
+        // Abort immediately — the first in-flight query will be cancelled,
+        // the transaction callback throws, Bun SQL issues ROLLBACK.
+        queueMicrotask(() => controller.abort(new Error('simulated save timeout')));
+
+        const result = db.transaction(async (trx) => {
+            await entity.doSave(trx, controller.signal);
+        });
+
+        await expect(result).rejects.toBeDefined();
+
+        // Entity must NOT exist — rollback invariant.
+        const rows = await db`SELECT id FROM entities WHERE id = ${entity.id}`;
+        expect(rows.length).toBe(0);
+    });
+
+    test('connection pool stays healthy after multiple aborted saves', async () => {
+        // Repeatedly abort saves — if connections leaked, subsequent saves
+        // would eventually block on pool acquire.
+        for (let i = 0; i < 8; i++) {
+            const entity = Entity.Create();
+            entity.add(TestUser, { name: `aborted-${i}`, email: `a${i}@e.com`, age: i });
+
+            const controller = new AbortController();
+            queueMicrotask(() => controller.abort(new Error('simulated timeout')));
+
+            await db.transaction(async (trx) => {
+                await entity.doSave(trx, controller.signal);
+            }).catch(() => { /* expected */ });
+        }
+
+        // A fresh save must still succeed on the pool that serviced the aborts.
+        const healthy = ctx.tracker.create();
+        healthy.add(TestUser, { name: 'healthy', email: 'h@e.com', age: 99 });
+        await healthy.save();
+
+        expect(healthy._persisted).toBe(true);
+
+        const rows = await db`SELECT id FROM entities WHERE id = ${healthy.id}`;
+        expect(rows.length).toBe(1);
+    });
+
+    test('doSave without signal behaves normally (backwards compatible)', async () => {
+        const entity = ctx.tracker.create();
+        entity.add(TestUser, { name: 'no-signal', email: 'n@e.com', age: 5 });
+
+        await db.transaction(async (trx) => {
+            await entity.doSave(trx); // no signal passed
+        });
+
+        const rows = await db`SELECT id FROM entities WHERE id = ${entity.id}`;
+        expect(rows.length).toBe(1);
+    });
+
+    test('save() resolves even if post-commit cache work is slow (fire-and-forget)', async () => {
+        // Cache handler is queued via queueMicrotask; save() must resolve as
+        // soon as the DB transaction commits. We assert save resolves quickly
+        // even though handleCacheAfterSave is awaited separately.
+        const entity = ctx.tracker.create();
+        entity.add(TestUser, { name: 'fast', email: 'f@e.com', age: 10 });
+
+        const start = performance.now();
+        await entity.save();
+        const elapsed = performance.now() - start;
+
+        expect(entity._persisted).toBe(true);
+        // Generous bound — if cache were blocking save, timings under load
+        // could stretch past the budget. This just guards gross regressions.
+        expect(elapsed).toBeLessThan(5000);
+    });
+});

package/tests/unit/storage/S3StorageProvider.test.ts

@@ -378,11 +378,9 @@ describe("S3StorageProvider", () => {
 
         it("returns false on failure", async () => {
             const client = createMockS3Client({
-                file: mock(() => ({
-                    arrayBuffer: async () => {
-                        throw new Error("Read failed");
-                    },
-                })),
+                stat: mock(async () => {
+                    throw new Error("Stat failed");
+                }),
             });
             const provider = new S3StorageProvider(
                 { bucket: "my-bucket" },
@@ -413,11 +411,9 @@ describe("S3StorageProvider", () => {
 
         it("returns false if copy fails", async () => {
             const client = createMockS3Client({
-                file: mock(() => ({
-                    arrayBuffer: async () => {
-                        throw new Error("Read failed");
-                    },
-                })),
+                stat: mock(async () => {
+                    throw new Error("Stat failed");
+                }),
             });
             const provider = new S3StorageProvider(
                 { bucket: "my-bucket" },

package/upload/FileValidator.ts

@@ -258,31 +258,34 @@ export class FileValidator {
      * Check if file is potentially dangerous
      */
     public async isDangerous(file: File): Promise<boolean> {
-        // Check for executable file extensions
         const dangerousExtensions = [
             '.exe', '.scr', '.bat', '.cmd', '.com', '.pif', '.vbs', '.js', '.jar',
-            '.sh', '.py', '.pl', '.php', '.asp', '.aspx', '.jsp'
+            '.sh', '.py', '.pl', '.php', '.asp', '.aspx', '.jsp',
+            '.svg',
         ];
+        const dangerousMimeTypes = ['image/svg+xml'];
 
         const extension = this.getFileExtension(file.name);
         if (dangerousExtensions.includes(extension)) {
             return true;
         }
+        if (dangerousMimeTypes.includes(file.type)) {
+            return true;
+        }
 
-        // Check for polyglot files (files that are valid in multiple formats)
         try {
             const buffer = await file.slice(0, 1024).arrayBuffer();
             const bytes = new Uint8Array(buffer);
             const content = new TextDecoder().decode(bytes);
-            
-            // Look for script patterns
+
             const scriptPatterns = [
                 /<script/i,
                 /javascript:/i,
                 /vbscript:/i,
                 /<iframe/i,
                 /<object/i,
-                /<embed/i
+                /<embed/i,
+                /on[a-z]+\s*=/i,
             ];
 
             return scriptPatterns.some(pattern => pattern.test(content));