fix(cypher): return whole value for composite and escaped properties#1098
Open
JhohanBustamante wants to merge 1 commit into
Open
fix(cypher): return whole value for composite and escaped properties#1098JhohanBustamante wants to merge 1 commit into
JhohanBustamante wants to merge 1 commit into
Conversation
json_extract_prop() scanned a non-string property up to the first ',' and a
string property up to the first '"', ignoring nesting and backslash escapes.
Any array/object property was therefore truncated at its first INTERNAL comma,
and any string containing an escaped quote was cut short.
decorators: ["@roles('OWNER', 'ADMIN')","@get()"]
projected as: ["@roles('OWNER'
This makes decorator/route/authz queries unusable on frameworks whose
decorators take multiple arguments (NestJS, Angular, Spring). Values are now
copied as balanced constructs, honoring string state and escape pairs; scalar
and plain-string paths are unchanged.
Signed-off-by: KolisCode <jhohantma@gmail.com>
Owner
|
Thanks for splitting this into a focused Cypher fix. The escaped-string path is bounded, and the composite scan is iterative rather than recursive, so this adds no stack-growth or unbounded-input risk. The scalar sibling assertion also guards the unchanged scalar path. I have triaged it as a high-priority 0.9.1-rc bug; full CI and DCO are green, and the security review found no malicious, prompt-injection, dependency, workflow, network, or credential surface. Two coverage changes are needed before final review:
Please also narrow "whole value" in the PR description to balanced values within the existing projection cap. Malformed-JSON validation does not need to grow this focused fix, but malformed input must remain bounded and crash-free. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1096.
Composite property values are truncated at the first internal comma
json_extract_prop()scanned a non-string value up to the first,and a stringvalue up to the first
", ignoring nesting and backslash escapes. Any array orobject property was therefore cut at its first internal comma:
So
MATCH (m:Method) RETURN m.decoratorsreturns garbage for NestJS, Angular orSpring handlers (any decorator with more than one argument), and strings holding
an escaped quote are cut short too. Values are now copied as balanced constructs,
honoring string state and escape pairs; the scalar and plain-string paths are
untouched.
Combined effect on the repo that surfaced this: HTTP endpoints reachable from the
graph went from 3/95 to 95/95, with full
@Roles(...)+ verb + path.Tests
tests/test_cypher.c:cypher_exec_prop_array_with_internal_commas,cypher_exec_prop_string_with_escaped_quotetest-runner cypher→ 152 passed (ASan + UBSan build).Split out of #1075 per review, as one focused PR linked to its issue. The
decorator-extraction fix is now #1095 / its own PR.