mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-03 20:41:00 +02:00
Python fp and docs updtes (#58)
* refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files
This commit is contained in:
parent
4db0805de6
commit
a438886217
291 changed files with 9485 additions and 3851 deletions
|
|
@ -1,7 +1,7 @@
|
|||
// Target: authorization happens inside `require_owner`, which
|
||||
// delegates to `require_group_member` (a configured authorization
|
||||
// check name). The handler in `cross_file_helper_handler.rs`
|
||||
// delegates ownership validation to this helper — cross-file helper
|
||||
// delegates ownership validation to this helper, cross-file helper
|
||||
// lifting should recognise the call as an auth check covering the
|
||||
// supplied `row`.
|
||||
struct Db;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
// produces a `DatabaseConnection` via SSA `constructor_type` (through
|
||||
// `peel_identity_suffix`, which strips `.unwrap()` before matching). The
|
||||
// handler then calls `conn.execute(..)`, a callee name that appears in
|
||||
// neither `mutation_indicator_names` nor `read_indicator_names` for Rust —
|
||||
// neither `mutation_indicator_names` nor `read_indicator_names` for Rust ,
|
||||
// name-based classification returns `None`, so the ownership gate
|
||||
// already cannot flag the call. The type-map refinement should *still*
|
||||
// leave the call unflagged (the type map produces `DbMutation`, but
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ pub async fn handle_list_peer_docs(req: Req, ctx: Ctx) -> Result<String, ()> {
|
|||
let user = auth::require_auth(&req, &ctx).await?;
|
||||
let doc_ids: Vec<i64> = vec![1, 2, 3];
|
||||
|
||||
// Pure in-memory bookkeeping — no authorization decision here.
|
||||
// Pure in-memory bookkeeping, no authorization decision here.
|
||||
let mut counts: HashMap<i64, usize> = HashMap::new();
|
||||
let mut seen: HashSet<i64> = HashSet::new();
|
||||
for doc_id in &doc_ids {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
// B4 regression guard: `format_target` does NOT auth-check
|
||||
// `group_id` — it just constructs a string from it. The helper-lift
|
||||
// `group_id`, it just constructs a string from it. The helper-lift
|
||||
// pass must not synthesise a covering AuthCheck on the handler's call
|
||||
// site, so the subsequent `db.exec("INSERT INTO comments …", &[group_id])`
|
||||
// MUST still flag.
|
||||
|
|
@ -19,7 +19,7 @@ mod auth {
|
|||
}
|
||||
|
||||
fn format_target(group_id: i64, suffix: &str) -> String {
|
||||
// No auth check here — pure formatting.
|
||||
// No auth check here, pure formatting.
|
||||
format!("group:{}{}", group_id, suffix)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ pub async fn handle_delete_doc(req: Req, ctx: Ctx, doc_id: i64) -> Result<String
|
|||
return json_err("cannot delete another user's doc", 403);
|
||||
}
|
||||
|
||||
// By construction, the row belongs to `user` — so any id read from it is authorized.
|
||||
// By construction, the row belongs to `user`, so any id read from it is authorized.
|
||||
let group_id = existing.get_i64("group_id");
|
||||
realtime::publish_to_group(group_id, "doc_deleted");
|
||||
Ok("ok".into())
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ pub async fn handle_update_doc(req: Req, ctx: Ctx, doc_id: i64) -> Result<String
|
|||
);
|
||||
let owner_id = existing.get_i64("user_id");
|
||||
|
||||
// Equality compared but no early exit — the check has no effect.
|
||||
// Equality compared but no early exit, the check has no effect.
|
||||
if owner_id != user.id {
|
||||
// missing return
|
||||
println!("not your doc (but proceeding anyway)");
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ mod auth { pub async fn require_auth(_r: &super::Req, _c: &super::Ctx) -> Result
|
|||
|
||||
// The handler's `get_peer_ids(&db, user.id)` call below must not be
|
||||
// flagged. `user` is bound from `auth::require_auth(..)` so `user.id`
|
||||
// is the caller's own id — the call is self-referential, not a foreign
|
||||
// is the caller's own id, the call is self-referential, not a foreign
|
||||
// scoped id. The library-style helper below is a pass-through so its
|
||||
// body contains no DB sinks (the internal `user_id` → DB flow is a
|
||||
// separate pattern covered by helper-summary lifting).
|
||||
|
|
|
|||
2
tests/fixtures/auth_analysis/sql_join_acl.rs
vendored
2
tests/fixtures/auth_analysis/sql_join_acl.rs
vendored
|
|
@ -2,7 +2,7 @@
|
|||
// against an ACL table (`group_members`) with a WHERE clause that pins
|
||||
// the row to the current user (`gm.user_id = ?1` bound to `user.id`).
|
||||
// Every returned row is membership-gated by construction, so downstream
|
||||
// uses of the row's columns (`group_id` here) are authorized — the
|
||||
// uses of the row's columns (`group_id` here) are authorized, the
|
||||
// `realtime::publish_to_group` call MUST NOT be flagged as missing an
|
||||
// ownership check after B3.
|
||||
struct Ctx;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
// B3 regression guard: the SELECT JOINs through `audit_log` (NOT in
|
||||
// the configured ACL list) and the WHERE clause pins on
|
||||
// `al.user_id = ?1`. The audit-log row's user is the audit subject,
|
||||
// not the doc owner — so this query does NOT prove caller ownership
|
||||
// not the doc owner, so this query does NOT prove caller ownership
|
||||
// of the returned `doc_id`. The downstream realtime publish MUST
|
||||
// still flag for a missing ownership check after B3.
|
||||
struct Ctx;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
// target: authorization happens inside `validate_target`, which
|
||||
// internally calls `authz::require_membership` against the same
|
||||
// `group_id` the handler subsequently mutates. The current rule cannot
|
||||
// see this transitively — B4 lifts per-function auth-check summaries
|
||||
// see this transitively, B4 lifts per-function auth-check summaries
|
||||
// (which positional params are auth-checked) so the handler-level call
|
||||
// to `validate_target(&db, group_id, user.id)` is recognised as an
|
||||
// auth check covering `group_id`. Result: `db.exec(..)` MUST NOT flag
|
||||
|
|
@ -45,7 +45,7 @@ pub async fn handle_create_comment(
|
|||
let user = auth::require_auth(&req, &ctx).await?;
|
||||
let db = Db;
|
||||
|
||||
// Authorization happens inside validate_target — helper-summary
|
||||
// Authorization happens inside validate_target, helper-summary
|
||||
// lifting propagates the per-param auth check so this covers
|
||||
// `group_id`.
|
||||
validate_target(&db, group_id, user.id).await?;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue