indexeddb: prevent collisions in find() (#8807)

Author: alxndrsn

packages/node_modules/pouchdb-adapter-indexeddb/src/rewrite.js

@@ -7,8 +7,8 @@ var IDB_TRUE = Number.MIN_SAFE_INTEGER + 2;
 // These are the same as below but without the global flag
 // we want to use RegExp.test because it's really fast, but the global flag
 // makes the regex const stateful (seriously) as it walked through all instances
-var TEST_KEY_INVALID = /^[^a-zA-Z_$]|[^a-zA-Z0-9_$]+/;
-var TEST_PATH_INVALID = /\\.|(^|\.)[^a-zA-Z_$]|[^a-zA-Z0-9_$.]+/;
+var TEST_KEY_INVALID = /^[^a-zA-Z$]|[^a-zA-Z0-9$]+/;
+var TEST_PATH_INVALID = /\\.|(^|\.)[^a-zA-Z$]|[^a-zA-Z0-9$.]+/;
 function needsSanitise(name, isPath) {
   if (isPath) {
     return TEST_PATH_INVALID.test(name);
@@ -27,9 +27,12 @@ function needsSanitise(name, isPath) {
 //
 // Very high level rules for valid JS names are:
 //  - First character cannot start with a number
-//  - Otherwise all characters must be be a-z, A-Z, 0-9, $ or _.
+//  - Otherwise all characters must be be a-z, A-Z, 0-9, or $.
+//  - Underscores (_) are encoded even though legal, to avoid collsions with
+//    encoded illegal characters
 //  - We allow . unless the name represents a single field, as that represents
 //    a deep index path.
+// See: https://www.w3.org/TR/IndexedDB/#key-path-construct
 //
 // This is more aggressive than it needs to be, but also simpler.
 //

tests/find/test-suite-1/test.escaping.js

@@ -237,4 +237,158 @@ describe('test.escaping.js', function () {
       res.docs.should.deep.equal([{ "_id": "doc", "foo_c46_bar": "a" }]);
     });
   });
+
+  it('#8808 handles escape patterns without collisions (with indexes)', function () {
+    var db = context.db;
+    var index1 = {
+      "index": {
+        "fields": [
+          "foo/bar"
+        ]
+      },
+      "name": "foo-index-1",
+      "type": "json"
+    };
+    var index2 = {
+      "index": {
+        "fields": [
+          "foo_c47_bar"
+        ]
+      },
+      "name": "foo-index-2",
+      "type": "json"
+    };
+    return db.bulkDocs([
+      {_id: 'doc1', 'foo/bar': 'a'},
+      {_id: 'doc2', 'foo_c47_bar': 'a'},
+    ]).then(function () {
+      return db.createIndex(index1);
+    }).then(function () {
+      return db.createIndex(index2);
+    }).then(function () {
+      return db.find({
+        selector: {'foo/bar': 'a'},
+        fields: ['_id', 'foo/bar', 'foo_c47_bar']
+      });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc1', 'foo/bar': 'a' }]);
+    }).then(function () {
+      return db.find({
+        selector: {'foo_c47_bar': 'a'},
+        fields: ['_id', 'foo/bar', 'foo_c47_bar']
+      });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc2', foo_c47_bar: 'a' }]);
+    });
+  });
+
+  it('#8808 handles escape patterns without collisions (no indexes)', function () {
+    var db = context.db;
+    return db.bulkDocs([
+      {_id: 'doc1', 'foo/bar': 'a'},
+      {_id: 'doc2', 'foo_c47_bar': 'a'},
+    ]).then(function () {
+      return db.find({
+        selector: {'foo/bar': 'a'},
+        fields: ['_id', 'foo/bar', 'foo_c47_bar']
+      });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc1', 'foo/bar': 'a' }]);
+    }).then(function () {
+      return db.find({
+        selector: {'foo_c47_bar': 'a'},
+        fields: ['_id', 'foo/bar', 'foo_c47_bar']
+      });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc2', foo_c47_bar: 'a' }]);
+    });
+  });
+
+  it('#8808 bulk docs id escaping collisions in same doc (with indexes)', function () {
+    var db = context.db;
+    var docs = [ { _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 } ];
+    var index1 = {
+      "index": {
+        "fields": [
+          "foo/bar"
+        ]
+      },
+      "name": "foo-index-1",
+      "type": "json"
+    };
+    var index2 = {
+      "index": {
+        "fields": [
+          "foo_c47_bar"
+        ]
+      },
+      "name": "foo-index-2",
+      "type": "json"
+    };
+    return db.bulkDocs(docs).then(function (results) {
+      results.should.have.length(1, 'results length did not match');
+      results[0].ok.should.equal(true);
+    }).then(function () {
+      return db.allDocs({ include_docs: true });
+    }).then(function (results) {
+      results.rows.should.have.length(1, 'results length did not match');
+
+      results.rows[0].doc._id.should.equal('doc');
+      results.rows[0].doc['foo/bar'].should.equal(-1);
+      results.rows[0].doc['foo_c47_bar'].should.equal(2);
+    }).then(function () {
+      return db.createIndex(index1);
+    }).then(function () {
+      return db.createIndex(index2);
+    }).then(function () {
+      return db.find({ selector: {'foo/bar': {$gt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.length.should.equal(0, 'foo/bar should not be greater than 0');
+    }).then(function () {
+      return db.find({ selector: {'foo/bar': {$lt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 }]);
+    }).then(function () {
+      return db.find({ selector: {'foo_c47_bar': {$lt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.length.should.equal(0, 'foo_c47_bar should not be less than 0');
+    }).then(function () {
+      return db.find({ selector: {'foo_c47_bar': {$gt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.should.deep.equal([{ _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 } ]);
+    });
+  });
+
+  it('#8808 bulk docs id escaping collisions in same doc (no indexes)', function () {
+    var db = context.db;
+    var docs = [ { _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 } ];
+    return db.bulkDocs(docs).then(function (results) {
+      results.should.have.length(1, 'results length did not match');
+      results[0].ok.should.equal(true);
+    }).then(function () {
+      return db.allDocs({ include_docs: true });
+    }).then(function (results) {
+      results.rows.should.have.length(1, 'results length did not match');
+
+      results.rows[0].doc._id.should.equal('doc');
+      results.rows[0].doc['foo/bar'].should.equal(-1);
+      results.rows[0].doc['foo_c47_bar'].should.equal(2);
+    }).then(function () {
+      return db.find({ selector: {'foo/bar': {$gt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.length.should.equal(0, 'foo/bar should not be greater than 0');
+    }).then(function () {
+      return db.find({ selector: {'foo/bar': {$lt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.should.deep.equal([ { _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 } ]);
+    }).then(function () {
+      return db.find({ selector: {'foo_c47_bar': {$lt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.length.should.equal(0, 'foo_c47_bar should not be less than 0');
+    }).then(function () {
+      return db.find({ selector: {'foo_c47_bar': {$gt: 0}}, fields: ['_id', 'foo/bar', 'foo_c47_bar'] });
+    }).then(function (res) {
+      res.docs.should.deep.equal([ { _id: 'doc', 'foo/bar': -1, foo_c47_bar: 2 } ]);
+    });
+  });
 });