Skip to content

fix(vscode): resolve design-time to runtime object names in artifact inspectors#192

Merged
jung-thomas merged 7 commits into
mainfrom
fix/runtime-name-resolution
Jul 15, 2026
Merged

fix(vscode): resolve design-time to runtime object names in artifact inspectors#192
jung-thomas merged 7 commits into
mainfrom
fix/runtime-name-resolution

Conversation

@jung-thomas

Copy link
Copy Markdown
Contributor

Problem

Clicking an HDI design-time file (e.g. cds.outbox.Messages.hdbtable) in a hana-cli custom editor injected the design-time name into the inspect field. HANA only knows the runtime object name (cds_outbox_Messages — CAP/HDI replaces . with _), and the backend matches names exactly and case-sensitively (SYS.TABLES.TABLE_NAME = ?). The result: Invalid Input Table.

Fix

New extension-side resolver resolveRuntimeName(fsPath, kind) reads the design-time file and extracts the runtime name from its DDL/JSON content, preserving exact case. On any parse failure it falls back to a filename naming rule (strip extension → dots→underscores → optional .hdinamespace prefix). Never throws.

artifactInspector.ts now calls the resolver in place of the old extension-strip logic. Covers all inspector kinds: table, view, procedure, function, synonym, role, sequence. (The .hdbcalculationview editor is separate and unchanged.)

Verification

  • 18 unit tests for the resolver (per-kind parse, quoted/schema-qualified/mixed-case normalization, and all fallback paths). All passing.
  • TDD caught a real bug — the table regex matched the word "table" mid-prose; DDL patterns are now anchored to line starts.
  • End-to-end against real files:
    • cds.outbox.Messages.hdbtablecds_outbox_Messages
    • star.wars.CloneWarsChronologicalOrder.hdbviewstar_wars_CloneWarsChronologicalOrder

Note: The full npm test electron harness (@vscode/test-electron) could not launch in the sandboxed dev environment (VS Code rejects its own launch flags, exit 9) — this is environmental and fails identically on unmodified main. The resolver is a pure function fully covered by direct-mocha runs; the integration is a type-checked one-line call. Please run npm test in a GUI-capable environment as a final check.

Packaging

Extension version bumped 0.1.80.1.9; packaged via npm run package (bundles node_modules including @sap/cds — avoids the --no-dependencies activation trap).

Docs

Design spec and implementation plan included under docs/superpowers/.

…t injection

- resolveRuntimeName now validates parsed names against a safe HANA
  identifier grammar ([A-Za-z0-9_.:]); unsafe DDL/namespace values fall
  through to the sanitized filename rule instead of passing verbatim.
- htmlProvider embeds the webview route via JSON.stringify so the value
  is escaped at the sink regardless of caller.
- Adds 4 security tests (quote/angle-bracket DDL, quoted filename,
  malicious .hdinamespace prefix).

Addresses automated security review (xss-injection).
@jung-thomas

Copy link
Copy Markdown
Contributor Author

Security hardening (follow-up)

An automated security review flagged a potential XSS/script-injection path introduced by this change, now fixed:

The path: resolveRuntimeName's DDL regex captured any non-whitespace token from file content → encodeURIComponent (which does not escape ') → embedded unescaped inside a single-quoted JS string in the webview inline script (window.__HANA_CLI_ROUTE__ = '${route}'). A crafted .hdbtable (e.g. from a cloned repo) containing COLUMN TABLE x';alert(1);// could break out and inject script into the webview.

Two-layer fix:

  1. Source (runtimeName.ts) — resolved names are validated against a safe HANA identifier grammar [A-Za-z0-9_.:]. Unsafe DDL captures and malicious .hdinamespace prefixes fall through to the sanitized filename rule; the function can never return an injectable string.
  2. Sink (htmlProvider.ts) — the webview route is now embedded via JSON.stringify, so the value is escaped regardless of caller (defense-in-depth for all inspectors, not just this one).

Added 4 security regression tests (quote/angle-bracket DDL, quoted filename, malicious namespace). Full resolver suite: 22 passing. Version bumped to 0.1.10.

@jung-thomas jung-thomas merged commit 625bb08 into main Jul 15, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant