Skip to content

fix(cypher): return whole value for composite and escaped properties#1098

Open
JhohanBustamante wants to merge 1 commit into
DeusData:mainfrom
JhohanBustamante:fix/cypher-composite-props
Open

fix(cypher): return whole value for composite and escaped properties#1098
JhohanBustamante wants to merge 1 commit into
DeusData:mainfrom
JhohanBustamante:fix/cypher-composite-props

Conversation

@JhohanBustamante

Copy link
Copy Markdown

Fixes #1096.

Composite property values are truncated at the first internal comma

json_extract_prop() scanned a non-string value up to the first , and a string
value up to the first ", ignoring nesting and backslash escapes. Any array or
object property was therefore cut at its first internal comma:

decorators: ["@Roles('OWNER', 'ADMIN')","@Get()"]
projected as: ["@Roles('OWNER'

So MATCH (m:Method) RETURN m.decorators returns garbage for NestJS, Angular or
Spring handlers (any decorator with more than one argument), and strings holding
an escaped quote are cut short too. Values are now copied as balanced constructs,
honoring string state and escape pairs; the scalar and plain-string paths are
untouched.

Combined effect on the repo that surfaced this: HTTP endpoints reachable from the
graph went from 3/95 to 95/95, with full @Roles(...) + verb + path.

Tests

  • tests/test_cypher.c: cypher_exec_prop_array_with_internal_commas,
    cypher_exec_prop_string_with_escaped_quote

test-runner cypher → 152 passed (ASan + UBSan build).


Split out of #1075 per review, as one focused PR linked to its issue. The
decorator-extraction fix is now #1095 / its own PR.

json_extract_prop() scanned a non-string property up to the first ',' and a
string property up to the first '"', ignoring nesting and backslash escapes.
Any array/object property was therefore truncated at its first INTERNAL comma,
and any string containing an escaped quote was cut short.

    decorators: ["@roles('OWNER', 'ADMIN')","@get()"]
    projected as: ["@roles('OWNER'

This makes decorator/route/authz queries unusable on frameworks whose
decorators take multiple arguments (NestJS, Angular, Spring). Values are now
copied as balanced constructs, honoring string state and escape pairs; scalar
and plain-string paths are unchanged.

Signed-off-by: KolisCode <jhohantma@gmail.com>
@DeusData DeusData added bug Something isn't working cypher Cypher query language parser/executor bugs labels Jul 15, 2026
@DeusData DeusData added this to the 0.9.1-rc milestone Jul 15, 2026
@DeusData DeusData added the priority/high Needs near-term maintainer attention; high-impact bug, regression, safety issue, or release blocker. label Jul 15, 2026
@DeusData

Copy link
Copy Markdown
Owner

Thanks for splitting this into a focused Cypher fix. The escaped-string path is bounded, and the composite scan is iterative rather than recursive, so this adds no stack-growth or unbounded-input risk. The scalar sibling assertion also guards the unchanged scalar path. I have triaged it as a high-priority 0.9.1-rc bug; full CI and DCO are green, and the security review found no malicious, prompt-injection, dependency, workflow, network, or credential surface.

Two coverage changes are needed before final review:

  1. Add a red-on-main object case that contains mixed nested arrays/objects and an escaped quote inside the composite value. The current array test does not execute the new outer-object branch or prove mixed nesting/string state.
  2. Add a boundary regression around the existing 511-byte projection limit to prove termination and deterministic truncation without reading past a trailing escape. Keep the current fixed-size contract in this PR; any proposal to return unlimited property values is a separate design change.

Please also narrow "whole value" in the PR description to balanced values within the existing projection cap. Malformed-JSON validation does not need to grow this focused fix, but malformed input must remain bounded and crash-free.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working cypher Cypher query language parser/executor bugs priority/high Needs near-term maintainer attention; high-impact bug, regression, safety issue, or release blocker.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Cypher: composite/escaped property values truncated at the first internal comma/quote

2 participants