Flip UNSAFE label to SAFE and fix/remove impossible cases

jeongsoolee09 · jeongsoolee09 · commit d286f51ba14f · 2025-07-03T15:34:16.000-04:00
1. These are now deemed safe (for now), so flip the labels.
2. Some cases are impossible: `entries` call only accepts only
objects (as varargs or an array of them). So, if it can be
fixed, then fix it; otherwise, remove it.
diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js b/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js
@@ -55,17 +55,17 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send00131", async (req) => {
       const { id } = req.data;
-      cds.create("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.create("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00132", async (req) => {
       const { id } = req.data;
-      cds.create("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.create("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00133", async (req) => {
       const { id } = req.data;
-      cds.create("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.create("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00141", async (req) => {
@@ -90,32 +90,32 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send00151", async (req) => {
       const { id } = req.data;
-      cds.insert("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.insert("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00152", async (req) => {
       const { id } = req.data;
-      cds.insert("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.insert("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00153", async (req) => {
       const { id } = req.data;
-      cds.insert("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.insert("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00161", async (req) => {
       const { id } = req.data;
-      cds.upsert("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.upsert("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00162", async (req) => {
       const { id } = req.data;
-      cds.upsert("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.upsert("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00163", async (req) => {
       const { id } = req.data;
-      cds.upsert("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.upsert("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00171", async (req) => {
@@ -166,25 +166,19 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send00221", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await INSERT.into(Service1Entity).entries("ID =" + id);  // UNSAFE: direct concatenation with `+`
+      await INSERT.into(Service1Entity).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00222", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await INSERT.into(Service1Entity).entries(`ID =` + id);  // UNSAFE: direct concatenation with `+`
+      await INSERT.into(Service1Entity).entries({id: `ID =` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00223", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await INSERT.into(Service1Entity).entries(`ID = ${id}`);  // UNSAFE: direct interpolation in a template literal
-    });
-
-    this.on("send00224", async (req) => {
-      const { id } = req.data;
-      const { Service1Entity } = this.entities;
-      await INSERT.into(Service1Entity).entries`ID = ${id}`;  // SAFE: tagged template expression
+      await INSERT.into(Service1Entity).entries({id: `ID = ${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00231", async (req) => {
@@ -214,19 +208,19 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send00241", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await UPSERT.into(Service1Entity).entries({ id: "" + id });  // UNSAFE: direct concatenation with `+`
+      await UPSERT.into(Service1Entity).entries({ id: "" + id });  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00242", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await UPSERT.into(Service1Entity).entries({ id: `` + id });  // UNSAFE: direct concatenation with `+`
+      await UPSERT.into(Service1Entity).entries({ id: `` + id });  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00243", async (req) => {
       const { id } = req.data;
       const { Service1Entity } = this.entities;
-      await UPSERT.into(Service1Entity).entries({ id: `${id}` });  // UNSAFE: direct interpolation in a template literal
+      await UPSERT.into(Service1Entity).entries({ id: `${id}` });  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send00251", async (req) => {
@@ -267,7 +261,7 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send33", async (req) => {
       const { id } = req.data;
-      this.create(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      this.create(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send34", async (req) => {
@@ -277,12 +271,12 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send35", async (req) => {
       const { id } = req.data;
-      this.insert(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      this.insert(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send36", async (req) => {
       const { id } = req.data;
-      this.upsert(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      this.upsert(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send37", async (req) => {
@@ -307,7 +301,7 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send43", async (req) => {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
-      Service2.create(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      Service2.create(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send44", async (req) => {
@@ -319,13 +313,13 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send45", async (req) => {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
-      Service2.insert(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      Service2.insert(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send46", async (req) => {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
-      Service2.upsert(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      Service2.upsert(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send47", async (req) => {
@@ -457,7 +451,7 @@ module.exports = class Service1 extends cds.ApplicationService {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
       Service2.tx(async (tx) => {
-        tx.create(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.create(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -473,15 +467,15 @@ module.exports = class Service1 extends cds.ApplicationService {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
       Service2.tx(async (tx) => {
-        tx.insert(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.insert(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
     this.on("send96", async (req) => {
       const { id } = req.data;
       const Service2 = await cds.connect.to("Service2");
       Service2.tx(async (tx) => {
-        tx.upsert(`Service2Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.upsert(`Service2Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -512,7 +506,7 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send103", async (req) => {
       const { id } = req.data;
       this.tx(async (tx) => {
-        tx.create(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.create(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -526,14 +520,14 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send105", async (req) => {
       const { id } = req.data;
       this.tx(async (tx) => {
-        tx.insert(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.insert(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
     this.on("send106", async (req) => {
       const { id } = req.data;
       this.tx(async (tx) => {
-        tx.upsert(`Service1Entity`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.upsert(`Service1Entity`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -563,7 +557,7 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send113", async (req) => {
       const { id } = req.data;
       cds.tx(async (tx) => {
-        tx.create(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.create(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -577,14 +571,14 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send115", async (req) => {
       const { id } = req.data;
       cds.tx(async (tx) => {
-        tx.insert(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.insert(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
     this.on("send116", async (req) => {
       const { id } = req.data;
       cds.tx(async (tx) => {
-        tx.upsert(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.upsert(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -614,7 +608,7 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send123", async (req) => {
       const { id } = req.data;
       cds.db.tx(async (tx) => {
-        tx.create(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.create(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -628,14 +622,14 @@ module.exports = class Service1 extends cds.ApplicationService {
     this.on("send125", async (req) => {
       const { id } = req.data;
       cds.db.tx(async (tx) => {
-        tx.insert(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.insert(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
     this.on("send126", async (req) => {
       const { id } = req.data;
       cds.db.tx(async (tx) => {
-        tx.upsert(`Entity1`).entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+        tx.upsert(`Entity1`).entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
       });
     });
 
@@ -693,17 +687,17 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send001331", async (req) => {
       const { id } = req.data;
-      cds.db.create("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.create("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001332", async (req) => {
       const { id } = req.data;
-      cds.db.create("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.create("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001333", async (req) => {
       const { id } = req.data;
-      cds.db.create("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.db.create("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001341", async (req) => {
@@ -728,32 +722,32 @@ module.exports = class Service1 extends cds.ApplicationService {
 
     this.on("send001351", async (req) => {
       const { id } = req.data;
-      cds.db.insert("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.insert("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001352", async (req) => {
       const { id } = req.data;
-      cds.db.insert("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.insert("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001353", async (req) => {
       const { id } = req.data;
-      cds.db.insert("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.db.insert("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001361", async (req) => {
       const { id } = req.data;
-      cds.db.upsert("Entity1").entries({id: "" + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.upsert("Entity1").entries({id: "" + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001362", async (req) => {
       const { id } = req.data;
-      cds.db.upsert("Entity1").entries({id: `` + id});  // UNSAFE: direct concatenation with `+`
+      cds.db.upsert("Entity1").entries({id: `` + id});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001363", async (req) => {
       const { id } = req.data;
-      cds.db.upsert("Entity1").entries({id: `${id}`});  // UNSAFE: direct interpolation in a template literal
+      cds.db.upsert("Entity1").entries({id: `${id}`});  // SAFE: `entries` call safely parses the property value
     });
 
     this.on("send001371", async (req) => {
