fix: 6 cache poisoning bugs + security hardening

Cache key fixes (query-do.ts, local-executor.ts):
- computedColumns used cc.name (undefined) instead of cc.alias
- setOperation used .type/.table (undefined) instead of .mode/.right
- subqueryIn treated array as single object instead of iterating
- distinct only hashed presence, not column names
- windows missing partitionBy/orderBy/frame/args fields
- join entirely absent from cache key
- version missing from query-do.ts
- Added \0 separators between all hash inputs to prevent concatenation ambiguity

Security hardening:
- Gate /upload endpoint behind DEV_MODE env var (worker.ts)
- Add path traversal validation on table names (query-schema.ts)
- Add DEV_MODE to Env interface (types.ts)

Author: teamchong

src/local-executor.ts

@@ -367,30 +367,37 @@ export class LocalExecutor implements QueryExecutor {
   private queryCacheKey(query: QueryDescriptor): string {
     let h = 0x811c9dc5;
     const feed = (s: string) => { for (let i = 0; i < s.length; i++) { h ^= s.charCodeAt(i); h = Math.imul(h, 0x01000193); } };
-    feed(query.table);
+    feed(query.table); feed("\0");
+    if (query.version !== undefined) { feed(`v${query.version}`); feed("\0"); }
     for (const f of [...query.filters].sort((a, b) => a.column.localeCompare(b.column) || a.op.localeCompare(b.op))) {
-      feed(f.column); feed(f.op); feed(String(f.value));
+      feed(f.column); feed("\0"); feed(f.op); feed("\0"); feed(String(f.value)); feed("\0");
     }
-    for (const p of [...query.projections].sort()) feed(p);
-    if (query.sortColumn) { feed(query.sortColumn); feed(query.sortDirection ?? "asc"); }
-    if (query.limit !== undefined) feed(String(query.limit));
-    if (query.offset !== undefined) feed(String(query.offset));
     if (query.filterGroups) {
       for (const group of query.filterGroups) {
         feed("|");
         for (const f of [...group].sort((a, b) => a.column.localeCompare(b.column) || a.op.localeCompare(b.op))) {
-          feed(f.column); feed(f.op); feed(String(f.value));
+          feed(f.column); feed("\0"); feed(f.op); feed("\0"); feed(String(f.value)); feed("\0");
         }
       }
     }
-    if (query.aggregates) for (const a of query.aggregates) { feed(a.fn); feed(a.column); if (a.alias) feed(a.alias); }
-    if (query.groupBy) for (const g of query.groupBy) feed(g);
-    if (query.distinct) feed("distinct");
-    if (query.version !== undefined) feed(`v${query.version}`);
-    if (query.windows) for (const w of query.windows) { feed(w.fn); feed(w.alias); feed(w.column ?? ""); }
-    if (query.computedColumns) for (const cc of query.computedColumns) feed(cc.name);
-    if (query.setOperation) { feed(query.setOperation.type); feed(query.setOperation.table); }
-    if (query.subqueryIn) { feed(query.subqueryIn.column); feed(query.subqueryIn.table); }
+    for (const p of [...query.projections].sort()) { feed(p); feed("\0"); }
+    if (query.sortColumn) { feed(query.sortColumn); feed("\0"); feed(query.sortDirection ?? "asc"); feed("\0"); }
+    if (query.limit !== undefined) { feed(String(query.limit)); feed("\0"); }
+    if (query.offset !== undefined) { feed(String(query.offset)); feed("\0"); }
+    if (query.aggregates) for (const a of query.aggregates) { feed(a.fn); feed("\0"); feed(a.column); feed("\0"); if (a.alias) feed(a.alias); feed("\0"); }
+    if (query.groupBy) for (const g of query.groupBy) { feed(g); feed("\0"); }
+    if (query.distinct) for (const d of query.distinct) { feed(d); feed("\0"); }
+    if (query.windows) for (const w of query.windows) {
+      feed(w.fn); feed("\0"); feed(w.alias); feed("\0"); feed(w.column ?? ""); feed("\0");
+      if (w.partitionBy) for (const p of w.partitionBy) { feed(p); feed("\0"); }
+      if (w.orderBy) for (const o of w.orderBy) { feed(o.column); feed(o.direction); feed("\0"); }
+      if (w.frame) { feed(w.frame.type); feed(String(w.frame.start)); feed(String(w.frame.end)); feed("\0"); }
+      if (w.args?.offset !== undefined) { feed(String(w.args.offset)); feed("\0"); }
+    }
+    if (query.computedColumns) for (const cc of query.computedColumns) { feed(cc.alias); feed("\0"); }
+    if (query.setOperation) { feed(query.setOperation.mode); feed("\0"); feed(this.queryCacheKey(query.setOperation.right)); feed("\0"); }
+    if (query.subqueryIn) for (const sq of query.subqueryIn) { feed(sq.column); feed("\0"); for (const v of sq.valueSet) { feed(v); feed("\0"); } }
+    if (query.join) { feed(query.join.type ?? "inner"); feed("\0"); feed(query.join.leftKey); feed("\0"); feed(query.join.rightKey); feed("\0"); feed(this.queryCacheKey(query.join.right)); feed("\0"); }
     return `qr:${query.table}:${(h >>> 0).toString(36)}`;
   }
 

src/query-do.ts

@@ -662,29 +662,37 @@ export class QueryDO extends DurableObject<Env> {
     // FNV-1a hash over query components — no JSON serialization
     let h = 0x811c9dc5;
     const feed = (s: string) => { for (let i = 0; i < s.length; i++) { h ^= s.charCodeAt(i); h = Math.imul(h, 0x01000193); } };
-    feed(query.table);
+    feed(query.table); feed("\0");
+    if (query.version !== undefined) { feed(`v${query.version}`); feed("\0"); }
     for (const f of [...query.filters].sort((a, b) => a.column.localeCompare(b.column) || a.op.localeCompare(b.op))) {
-      feed(f.column); feed(f.op); feed(String(f.value));
+      feed(f.column); feed("\0"); feed(f.op); feed("\0"); feed(String(f.value)); feed("\0");
     }
     if (query.filterGroups) {
       for (const group of query.filterGroups) {
-        feed("|"); // group separator
+        feed("|");
         for (const f of [...group].sort((a, b) => a.column.localeCompare(b.column) || a.op.localeCompare(b.op))) {
-          feed(f.column); feed(f.op); feed(String(f.value));
+          feed(f.column); feed("\0"); feed(f.op); feed("\0"); feed(String(f.value)); feed("\0");
         }
       }
     }
-    for (const p of [...query.projections].sort()) feed(p);
-    if (query.sortColumn) { feed(query.sortColumn); feed(query.sortDirection ?? "asc"); }
-    if (query.limit !== undefined) feed(String(query.limit));
-    if (query.offset !== undefined) feed(String(query.offset));
-    if (query.aggregates) for (const a of query.aggregates) { feed(a.fn); feed(a.column); if (a.alias) feed(a.alias); }
-    if (query.groupBy) for (const g of query.groupBy) feed(g);
-    if (query.distinct) feed("distinct");
-    if (query.windows) for (const w of query.windows) { feed(w.fn); feed(w.alias); feed(w.column ?? ""); }
-    if (query.computedColumns) for (const cc of query.computedColumns) feed(cc.name);
-    if (query.setOperation) { feed(query.setOperation.type); feed(query.setOperation.table); }
-    if (query.subqueryIn) { feed(query.subqueryIn.column); feed(query.subqueryIn.table); }
+    for (const p of [...query.projections].sort()) { feed(p); feed("\0"); }
+    if (query.sortColumn) { feed(query.sortColumn); feed("\0"); feed(query.sortDirection ?? "asc"); feed("\0"); }
+    if (query.limit !== undefined) { feed(String(query.limit)); feed("\0"); }
+    if (query.offset !== undefined) { feed(String(query.offset)); feed("\0"); }
+    if (query.aggregates) for (const a of query.aggregates) { feed(a.fn); feed("\0"); feed(a.column); feed("\0"); if (a.alias) feed(a.alias); feed("\0"); }
+    if (query.groupBy) for (const g of query.groupBy) { feed(g); feed("\0"); }
+    if (query.distinct) for (const d of query.distinct) { feed(d); feed("\0"); }
+    if (query.windows) for (const w of query.windows) {
+      feed(w.fn); feed("\0"); feed(w.alias); feed("\0"); feed(w.column ?? ""); feed("\0");
+      if (w.partitionBy) for (const p of w.partitionBy) { feed(p); feed("\0"); }
+      if (w.orderBy) for (const o of w.orderBy) { feed(o.column); feed(o.direction); feed("\0"); }
+      if (w.frame) { feed(w.frame.type); feed(String(w.frame.start)); feed(String(w.frame.end)); feed("\0"); }
+      if (w.args?.offset !== undefined) { feed(String(w.args.offset)); feed("\0"); }
+    }
+    if (query.computedColumns) for (const cc of query.computedColumns) { feed(cc.alias); feed("\0"); }
+    if (query.setOperation) { feed(query.setOperation.mode); feed("\0"); feed(this.queryKey(query.setOperation.right)); feed("\0"); }
+    if (query.subqueryIn) for (const sq of query.subqueryIn) { feed(sq.column); feed("\0"); for (const v of sq.valueSet) { feed(v); feed("\0"); } }
+    if (query.join) { feed(query.join.type ?? "inner"); feed("\0"); feed(query.join.leftKey); feed("\0"); feed(query.join.rightKey); feed("\0"); feed(this.queryKey(query.join.right)); feed("\0"); }
     return `qr:${query.table}:${(h >>> 0).toString(36)}`;
   }
 

src/query-schema.ts

@@ -34,7 +34,8 @@ const vectorSearchSchema = z.object({
 });
 
 export const queryDescriptorSchema = z.object({
-  table: z.string().min(1, "Table name is required"),
+  table: z.string().min(1, "Table name is required")
+    .refine(s => !s.includes("..") && !s.startsWith("/"), "Invalid table name"),
   filters: z.array(filterOpSchema).default([]),
   projections: z.array(z.string()).default([]),
   select: z.array(z.string()).optional(), // alias for projections

src/types.ts

@@ -356,6 +356,8 @@ export interface Env {
   MASTER_DO: DurableObjectNamespace;
   QUERY_DO: DurableObjectNamespace;
   FRAGMENT_DO: DurableObjectNamespace;
+  /** Set to truthy in wrangler.toml [vars] to enable /upload endpoint. */
+  DEV_MODE?: string;
 }
 
 /** RPC interface exposed by QueryDO for zero-serialization calls */

src/worker.ts

@@ -78,10 +78,13 @@ export default {
         return json(base, 200, headers);
       }
 
-      // Direct R2 upload (local dev only)
+      // Direct R2 upload (local dev only — blocked in production)
       if (url.pathname === "/upload" && request.method === "POST") {
+        if (!env.DEV_MODE) return json({ error: "upload disabled" }, 403);
         const key = url.searchParams.get("key");
-        if (!key) return new Response("Missing ?key=", { status: 400 });
+        if (!key || key.includes("..") || key.startsWith("/")) {
+          return json({ error: "invalid key" }, 400);
+        }
         await resolveBucket(env, key).put(key, request.body);
         return json({ uploaded: key });
       }