feat: enhance Cedar policy generation with string escaping for table and column names

Author: Artuomka

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -7,12 +7,25 @@ export interface IPublicTablePermission {
 	readableColumns?: Array<string>;
 }
 
+function escapeCedarString(value: string): string {
+	return value
+		.replace(/\\/g, '\\\\')
+		.replace(/"/g, '\\"')
+		.replace(/\n/g, '\\n')
+		.replace(/\r/g, '\\r')
+		.replace(/\t/g, '\\t');
+}
+
+function cedarEntityRef(entityType: string, id: string): string {
+	return `${entityType}::"${escapeCedarString(id)}"`;
+}
+
 export function generatePublicCedarPolicy(connectionId: string, tables: Array<IPublicTablePermission>): string {
 	const policies: Array<string> = [];
 
 	for (const table of tables) {
 		if (!table.tableName) continue;
-		const tableRef = `RocketAdmin::Table::"${connectionId}/${table.tableName}"`;
+		const tableRef = cedarEntityRef('RocketAdmin::Table', `${connectionId}/${table.tableName}`);
 
 		policies.push(
 			`permit(\n  principal,\n  action == RocketAdmin::Action::"table:query",\n  resource == ${tableRef}\n);`,
@@ -21,7 +34,7 @@ export function generatePublicCedarPolicy(connectionId: string, tables: Array<IP
 		const readableColumns = table.readableColumns;
 		if (readableColumns && readableColumns.length > 0) {
 			for (const columnName of readableColumns) {
-				const columnRef = `RocketAdmin::Column::"${connectionId}/${table.tableName}/${columnName}"`;
+				const columnRef = cedarEntityRef('RocketAdmin::Column', `${connectionId}/${table.tableName}/${columnName}`);
 				policies.push(
 					`permit(\n  principal,\n  action == RocketAdmin::Action::"column:read",\n  resource == ${columnRef}\n);`,
 				);
@@ -42,7 +55,7 @@ export function generateCedarPolicyForGroup(
 	permissions: IComplexPermission,
 ): string {
 	const policies: Array<string> = [];
-	const connectionRef = `RocketAdmin::Connection::"${connectionId}"`;
+	const connectionRef = cedarEntityRef('RocketAdmin::Connection', connectionId);
 
 	if (isMain) {
 		policies.push(`permit(\n  principal,\n  action,\n  resource\n);`);
@@ -69,7 +82,7 @@ export function generateCedarPolicyForGroup(
 
 	// Group permissions
 	const groupAccess = permissions.group.accessLevel;
-	const groupResourceRef = `RocketAdmin::Group::"${permissions.group.groupId}"`;
+	const groupResourceRef = cedarEntityRef('RocketAdmin::Group', permissions.group.groupId);
 	if (groupAccess === AccessLevelEnum.edit) {
 		policies.push(
 			`permit(\n  principal,\n  action == RocketAdmin::Action::"group:read",\n  resource == ${groupResourceRef}\n);`,
@@ -87,7 +100,7 @@ export function generateCedarPolicyForGroup(
 		let hasCreatePermission = false;
 		let hasReadPermission = false;
 		for (const dashboard of permissions.dashboards) {
-			const dashboardRef = `RocketAdmin::Dashboard::"${connectionId}/${dashboard.dashboardId}"`;
+			const dashboardRef = cedarEntityRef('RocketAdmin::Dashboard', `${connectionId}/${dashboard.dashboardId}`);
 			const access = dashboard.accessLevel;
 
 			if (access.read) {
@@ -110,7 +123,7 @@ export function generateCedarPolicyForGroup(
 				);
 			}
 		}
-		const newDashboardRef = `RocketAdmin::Dashboard::"${connectionId}/__new__"`;
+		const newDashboardRef = cedarEntityRef('RocketAdmin::Dashboard', `${connectionId}/__new__`);
 		if (hasReadPermission) {
 			policies.push(
 				`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:read",\n  resource == ${newDashboardRef}\n);`,
@@ -127,7 +140,7 @@ export function generateCedarPolicyForGroup(
 		let hasPanelCreatePermission = false;
 		let hasPanelReadPermission = false;
 		for (const panel of permissions.panels) {
-			const panelRef = `RocketAdmin::Panel::"${connectionId}/${panel.panelId}"`;
+			const panelRef = cedarEntityRef('RocketAdmin::Panel', `${connectionId}/${panel.panelId}`);
 			const access = panel.accessLevel;
 
 			if (access.read) {
@@ -150,7 +163,7 @@ export function generateCedarPolicyForGroup(
 				);
 			}
 		}
-		const newPanelRef = `RocketAdmin::Panel::"${connectionId}/__new__"`;
+		const newPanelRef = cedarEntityRef('RocketAdmin::Panel', `${connectionId}/__new__`);
 		if (hasPanelReadPermission) {
 			policies.push(
 				`permit(\n  principal,\n  action == RocketAdmin::Action::"panel:read",\n  resource == ${newPanelRef}\n);`,
@@ -164,7 +177,7 @@ export function generateCedarPolicyForGroup(
 	}
 
 	for (const table of permissions.tables) {
-		const tableRef = `RocketAdmin::Table::"${connectionId}/${table.tableName}"`;
+		const tableRef = cedarEntityRef('RocketAdmin::Table', `${connectionId}/${table.tableName}`);
 		const access = table.accessLevel;
 
 		// triggerCustomAction is intentionally excluded from hasAnyAccess: triggering custom
@@ -181,7 +194,7 @@ export function generateCedarPolicyForGroup(
 			const readableColumns = table.readableColumns;
 			if (readableColumns && readableColumns.length > 0) {
 				for (const columnName of readableColumns) {
-					const columnRef = `RocketAdmin::Column::"${connectionId}/${table.tableName}/${columnName}"`;
+					const columnRef = cedarEntityRef('RocketAdmin::Column', `${connectionId}/${table.tableName}/${columnName}`);
 					policies.push(
 						`permit(\n  principal,\n  action == RocketAdmin::Action::"column:read",\n  resource == ${columnRef}\n);`,
 					);
@@ -223,7 +236,10 @@ export function generateCedarPolicyForGroup(
 	if (permissions.actionEvents) {
 		for (const event of permissions.actionEvents) {
 			if (!event.accessLevel?.trigger) continue;
-			const eventRef = `RocketAdmin::ActionEvent::"${connectionId}/${event.tableName}/${event.eventId}"`;
+			const eventRef = cedarEntityRef(
+				'RocketAdmin::ActionEvent',
+				`${connectionId}/${event.tableName}/${event.eventId}`,
+			);
 			policies.push(
 				`permit(\n  principal,\n  action == RocketAdmin::Action::"actionEvent:trigger",\n  resource == ${eventRef}\n);`,
 			);

backend/test/ava-tests/non-saas-tests/non-saas-cedar-policy-generator.test.ts

@@ -374,3 +374,50 @@ test('generatePublicCedarPolicy: only ever emits table:query and column:read act
 		t.true(action === 'table:query' || action === 'column:read', `unexpected action ${action}`);
 	}
 });
+
+test('generatePublicCedarPolicy escapes quotes/backslashes/newlines in table names (no policy injection)', (t) => {
+	const malicious = 'evil") ;\n\npermit(principal, action, resource);\n\n//';
+	const result = generatePublicCedarPolicy(connectionId, [{ tableName: malicious }]);
+	t.is(result.split('\n\n').length, 2);
+	t.true(result.includes('\\"'));
+	t.true(result.includes('\\n'));
+	const actions = [...result.matchAll(/action\s*==\s*RocketAdmin::Action::"([^"]+)"/g)].map((m) => m[1]);
+	t.deepEqual(new Set(actions), new Set(['table:query', 'column:read']));
+});
+
+test('generatePublicCedarPolicy escapes quotes/backslashes/newlines in column names (no policy injection)', (t) => {
+	const maliciousColumn = 'c") ;\npermit(principal, action, resource); //';
+	const result = generatePublicCedarPolicy(connectionId, [{ tableName: 'users', readableColumns: [maliciousColumn] }]);
+	t.is(result.split('\n\n').length, 2);
+	t.true(result.includes('\\"'));
+	const actions = [...result.matchAll(/action\s*==\s*RocketAdmin::Action::"([^"]+)"/g)].map((m) => m[1]);
+	t.deepEqual(new Set(actions), new Set(['table:query', 'column:read']));
+});
+
+test('generateCedarPolicyForGroup escapes malicious table names (no policy injection)', (t) => {
+	const malicious = 'evil") ;\n\npermit(principal, action, resource);\n\n//';
+	const result = generateCedarPolicyForGroup(
+		connectionId,
+		false,
+		makePermissions({
+			tables: [
+				{
+					tableName: malicious,
+					accessLevel: {
+						visibility: true,
+						readonly: true,
+						add: false,
+						delete: false,
+						edit: false,
+						aiRequest: false,
+						triggerCustomAction: false,
+					},
+				},
+			],
+		}),
+	);
+	t.is(result.split('\n\n').length, 2);
+	t.true(result.includes('\\"'));
+	const actions = [...result.matchAll(/action\s*==\s*RocketAdmin::Action::"([^"]+)"/g)].map((m) => m[1]);
+	t.deepEqual(new Set(actions), new Set(['table:query', 'column:read']));
+});