fix(vscode): resolve design-time to runtime object names in artifact inspectors#192
Merged
Conversation
…t injection - resolveRuntimeName now validates parsed names against a safe HANA identifier grammar ([A-Za-z0-9_.:]); unsafe DDL/namespace values fall through to the sanitized filename rule instead of passing verbatim. - htmlProvider embeds the webview route via JSON.stringify so the value is escaped at the sink regardless of caller. - Adds 4 security tests (quote/angle-bracket DDL, quoted filename, malicious .hdinamespace prefix). Addresses automated security review (xss-injection).
Contributor
Author
Security hardening (follow-up)An automated security review flagged a potential XSS/script-injection path introduced by this change, now fixed: The path: Two-layer fix:
Added 4 security regression tests (quote/angle-bracket DDL, quoted filename, malicious namespace). Full resolver suite: 22 passing. Version bumped to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Clicking an HDI design-time file (e.g.
cds.outbox.Messages.hdbtable) in a hana-cli custom editor injected the design-time name into the inspect field. HANA only knows the runtime object name (cds_outbox_Messages— CAP/HDI replaces.with_), and the backend matches names exactly and case-sensitively (SYS.TABLES.TABLE_NAME = ?). The result:Invalid Input Table.Fix
New extension-side resolver
resolveRuntimeName(fsPath, kind)reads the design-time file and extracts the runtime name from its DDL/JSON content, preserving exact case. On any parse failure it falls back to a filename naming rule (strip extension → dots→underscores → optional.hdinamespaceprefix). Never throws.artifactInspector.tsnow calls the resolver in place of the old extension-strip logic. Covers all inspector kinds: table, view, procedure, function, synonym, role, sequence. (The.hdbcalculationvieweditor is separate and unchanged.)Verification
cds.outbox.Messages.hdbtable→cds_outbox_Messages✅star.wars.CloneWarsChronologicalOrder.hdbview→star_wars_CloneWarsChronologicalOrder✅Packaging
Extension version bumped
0.1.8→0.1.9; packaged vianpm run package(bundlesnode_modulesincluding@sap/cds— avoids the--no-dependenciesactivation trap).Docs
Design spec and implementation plan included under
docs/superpowers/.