harden: validate view database names in mapreduce cleanup

l3tchupkt · l3tchupkt · commit 0608b3354b2c · 2026-04-04T15:16:59.000+05:30
- Add strict whitelist validation for database names (alphanumeric, underscore, hyphen, max 100 chars)
- Prevent path traversal and injection attacks in view operations
- Apply validation at both createView and localViewCleanup
- Non-breaking: log warnings and skip invalid entries
- Add comprehensive test coverage
diff --git a/packages/node_modules/pouchdb-abstract-mapreduce/src/createView.js b/packages/node_modules/pouchdb-abstract-mapreduce/src/createView.js
@@ -15,9 +15,8 @@ async function createView(sourceDB, viewName, mapFun, reduceFun, temporary, loca
   }
 
   const promiseForView = sourceDB.info().then(async function (info) {
-    // Validate db_name to prevent path traversal in view database names
-    var dbNameRegex = /^[^<>:"|?*]+$/;
-    if (!dbNameRegex.test(info.db_name)) {
+    // Validate db_name - strict whitelist: only alphanumeric, underscore, hyphen, max 100 chars
+    if (!/^[a-zA-Z0-9_-]{1,100}$/.test(info.db_name)) {
       console.warn('[PouchDB] Skipping unsafe db_name:', info.db_name);
       return;
     }
diff --git a/packages/node_modules/pouchdb-abstract-mapreduce/src/index.js b/packages/node_modules/pouchdb-abstract-mapreduce/src/index.js
@@ -922,7 +922,7 @@ function createAbstractMapReduce(localDocName, mapper, reducer, ddocValidator) {
   }
 
   async function localViewCleanup(db) {
-    const viewDbRegex = /^[^<>:"|?*]+-mrview-[a-f0-9]{32}$/;
+    const viewDbRegex = /^[a-zA-Z0-9_-]{1,100}-mrview-[a-f0-9]{32}$/;
     try {
       const metaDoc = await db.get('_local/' + localDocName);
       const docsToViews = new Map();
diff --git a/tests/mapreduce/test.view-cleanup-validation.js b/tests/mapreduce/test.view-cleanup-validation.js
@@ -90,11 +90,11 @@ describe('database name validation', function () {
   it('should allow valid database names with various formats', async function() {
     this.timeout(10000);
     const validDbNames = [
-      'mydb',
-      'my-db',
-      'my_db',
-      'my123db',
-      'MyDb'
+      'mydb-test-1',
+      'my-db-test-2',
+      'my_db-test-3',
+      'my123db-test-4',
+      'MyDb-test-5'
     ];
     
     for (const dbName of validDbNames) {
@@ -115,7 +115,15 @@ describe('database name validation', function () {
       const res = await db.query('test/test');
       res.rows.should.have.length(1);
       
-      await db.destroy();
+      // Cleanup with error handling
+      try {
+        await db.destroy();
+      } catch (e) {
+        // Ignore cleanup errors on Windows
+        if (!e.message.includes('being used by another process')) {
+          throw e;
+        }
+      }
     }
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,8 @@ async function createView(sourceDB, viewName, mapFun, reduceFun, temporary, loca`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`const promiseForView = sourceDB.info().then(async function (info) {`
`18`		`- // Validate db_name to prevent path traversal in view database names`
`19`		`- var dbNameRegex = /^[^<>:"\|?*]+$/;`
`20`		`- if (!dbNameRegex.test(info.db_name)) {`
	`18`	`+ // Validate db_name - strict whitelist: only alphanumeric, underscore, hyphen, max 100 chars`
	`19`	`+ if (!/^[a-zA-Z0-9_-]{1,100}$/.test(info.db_name)) {`
`21`	`20`	`console.warn('[PouchDB] Skipping unsafe db_name:', info.db_name);`
`22`	`21`	`return;`
`23`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -922,7 +922,7 @@ function createAbstractMapReduce(localDocName, mapper, reducer, ddocValidator) {`
`922`	`922`	`}`
`923`	`923`
`924`	`924`	`async function localViewCleanup(db) {`
`925`		`- const viewDbRegex = /^[^<>:"\|?*]+-mrview-[a-f0-9]{32}$/;`
	`925`	`+ const viewDbRegex = /^[a-zA-Z0-9_-]{1,100}-mrview-[a-f0-9]{32}$/;`
`926`	`926`	`try {`
`927`	`927`	`const metaDoc = await db.get('_local/' + localDocName);`
`928`	`928`	`const docsToViews = new Map();`