Merge commit from fork

* Fix injection issues

* Add exclusion /debug/vars key; consolidate func; apply to bulk and live loader too

Author: matthewmcneely

dgraph/cmd/alpha/http_test.go

@@ -827,24 +827,39 @@ func TestHealth(t *testing.T) {
 	require.True(t, info[0].Uptime > int64(time.Duration(1)))
 }
 
-// TestPprofCmdlineNotExposed ensures that /debug/pprof/cmdline is not reachable
-// without authentication. The endpoint exposes the full process command line,
-// which may include the admin token passed via --security "token=...".
-// The other pprof sub-endpoints should remain accessible.
-func TestPprofCmdlineNotExposed(t *testing.T) {
-	// cmdline must be blocked — it leaks the admin token from process args.
+// TestCmdlineEndpointsNotExposed ensures that endpoints which expose the full
+// process command line are not reachable without authentication. Both
+// /debug/pprof/cmdline (net/http/pprof) and /debug/vars (expvar, which
+// publishes os.Args as "cmdline") can leak the admin token passed via
+// --security "token=...".
+func TestCmdlineEndpointsNotExposed(t *testing.T) {
+	// /debug/pprof/cmdline must be blocked.
 	resp, err := http.Get(fmt.Sprintf("%s/debug/pprof/cmdline", addr))
 	require.NoError(t, err)
 	defer resp.Body.Close()
 	require.Equal(t, http.StatusNotFound, resp.StatusCode,
 		"/debug/pprof/cmdline should return 404; got %d", resp.StatusCode)
 
-	// Sanity-check that other pprof endpoints are still reachable.
-	resp2, err := http.Get(fmt.Sprintf("%s/debug/pprof/heap", addr))
+	// /debug/vars must still be reachable but must NOT include "cmdline".
+	resp2, err := http.Get(fmt.Sprintf("%s/debug/vars", addr))
 	require.NoError(t, err)
 	defer resp2.Body.Close()
 	require.Equal(t, http.StatusOK, resp2.StatusCode,
-		"/debug/pprof/heap should return 200; got %d", resp2.StatusCode)
+		"/debug/vars should return 200; got %d", resp2.StatusCode)
+	body, err := io.ReadAll(resp2.Body)
+	require.NoError(t, err)
+	var vars map[string]json.RawMessage
+	require.NoError(t, json.Unmarshal(body, &vars))
+	_, hasCmdline := vars["cmdline"]
+	require.False(t, hasCmdline,
+		"/debug/vars response must not contain the cmdline key")
+
+	// Sanity-check that other pprof endpoints are still reachable.
+	resp3, err := http.Get(fmt.Sprintf("%s/debug/pprof/heap", addr))
+	require.NoError(t, err)
+	defer resp3.Body.Close()
+	require.Equal(t, http.StatusOK, resp3.StatusCode,
+		"/debug/pprof/heap should return 200; got %d", resp3.StatusCode)
 }
 
 func setDrainingMode(t *testing.T, enable bool, accessJwt string) {

dgraph/cmd/alpha/run.go

@@ -620,16 +620,7 @@ func setupServer(closer *z.Closer, enableMcp bool) {
 		}
 	}
 
-	// Block /debug/pprof/cmdline — importing net/http/pprof registers it on
-	// http.DefaultServeMux, but it exposes the full process command line which
-	// may include the admin token from --security "token=...".
-	serverHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path == "/debug/pprof/cmdline" {
-			http.NotFound(w, r)
-			return
-		}
-		http.DefaultServeMux.ServeHTTP(w, r)
-	})
+	serverHandler := x.SanitizedDefaultServeMux()
 	go x.StartListenHttpAndHttps(httpListener, tlsCfg, x.ServerCloser, serverHandler)
 
 	go func() {

dgraph/cmd/alpha/upsert_test.go

@@ -2999,6 +2999,76 @@ func TestLargeStringIndex(t *testing.T) {
 		`{"predicate":"name_term","type":"string","index":true,"tokenizer":["term"]}`)
 }
 
+// TestDQLInjectionViaCondField is a security regression test for LEAD-001.
+// It verifies that a crafted cond field containing an injected DQL query block
+// is rejected by input validation before reaching the query builder.
+func TestDQLInjectionViaCondField(t *testing.T) {
+	require.NoError(t, dropAll())
+	require.NoError(t, alterSchema(`
+		name: string @index(exact) .
+		email: string @index(exact) .
+		secret: string .
+	`))
+
+	// Seed data that should NOT be readable via a mutation request.
+	seed := `{
+		set {
+			_:u1 <dgraph.type> "User" .
+			_:u1 <name> "Alice" .
+			_:u1 <email> "alice@example.com" .
+			_:u1 <secret> "SSN-111-22-3333" .
+
+			_:u2 <dgraph.type> "User" .
+			_:u2 <name> "Bob" .
+			_:u2 <email> "bob@example.com" .
+			_:u2 <secret> "API_KEY_secret_abc123" .
+		}
+	}`
+	_, err := mutationWithTs(mutationInp{body: seed, typ: "application/rdf", commitNow: true})
+	require.NoError(t, err)
+
+	// Craft the injection payload. The cond value closes the @if() clause and
+	// appends an entirely new named query block "leak" that would exfiltrate all
+	// data if the injection were not blocked.
+	injectionPayload := `{
+		"query": "{ q(func: uid(0x1)) { uid } }",
+		"mutations": [{
+			"set": [{"uid": "0x1", "dgraph.type": "Dummy"}],
+			"cond": "@if(eq(name, \"nonexistent\"))\n  leak(func: has(dgraph.type)) { uid dgraph.type name email secret }"
+		}]
+	}`
+
+	// The injection payload must be rejected by cond validation.
+	_, err = mutationWithTs(mutationInp{
+		body:      injectionPayload,
+		typ:       "application/json",
+		commitNow: true,
+	})
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid cond value")
+
+	// Verify that no mutation was applied — the request was rejected entirely.
+	q := `{ q(func: has(dgraph.type)) { uid name } }`
+	res, _, err := queryWithTs(queryInp{body: q, typ: "application/dql"})
+	require.NoError(t, err)
+	require.NotContains(t, res, "Dummy")
+
+	// Verify that a legitimate conditional upsert still works.
+	legitimateUpsert := `{
+		"query": "{ q(func: eq(name, \"Alice\")) { v as uid } }",
+		"mutations": [{
+			"set": [{"uid": "uid(v)", "email": "alice-updated@example.com"}],
+			"cond": "@if(eq(len(v), 1))"
+		}]
+	}`
+	_, err = mutationWithTs(mutationInp{
+		body:      legitimateUpsert,
+		typ:       "application/json",
+		commitNow: true,
+	})
+	require.NoError(t, err)
+}
+
 func TestStringWithQuote(t *testing.T) {
 	require.NoError(t, dropAll())
 	require.NoError(t, alterSchemaWithRetry(`name: string @unique @index(exact) .`))

dgraph/cmd/bulk/run.go

@@ -280,7 +280,7 @@ func RunBulkLoader(opt BulkOptions) {
 	maxOpenFilesWarning()
 
 	go func() {
-		log.Fatal(http.ListenAndServe(opt.HttpAddr, nil))
+		log.Fatal(http.ListenAndServe(opt.HttpAddr, x.SanitizedDefaultServeMux()))
 	}()
 	http.HandleFunc("/jemalloc", x.JemallocHandler)
 

dgraph/cmd/debug/run.go

@@ -943,7 +943,7 @@ func run() {
 	go func() {
 		for i := 8080; i < 9080; i++ {
 			fmt.Printf("Listening for /debug HTTP requests at port: %d\n", i)
-			if err := http.ListenAndServe(fmt.Sprintf("localhost:%d", i), nil); err != nil {
+			if err := http.ListenAndServe(fmt.Sprintf("localhost:%d", i), x.SanitizedDefaultServeMux()); err != nil {
 				fmt.Println("Port busy. Trying another one...")
 				continue
 			}

dgraph/cmd/live/run.go

@@ -705,7 +705,7 @@ func run() error {
 	z.SetTmpDir(opt.tmpDir)
 
 	go func() {
-		if err := http.ListenAndServe(opt.httpAddr, nil); err != nil {
+		if err := http.ListenAndServe(opt.httpAddr, x.SanitizedDefaultServeMux()); err != nil {
 			glog.Errorf("Error while starting HTTP server: %+v", err)
 		}
 	}()

edgraph/server.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"math"
 	"net"
+	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -709,11 +710,102 @@ func validateMutation(ctx context.Context, edges []*pb.DirectedEdge) error {
 	return nil
 }
 
+// validateCondValue checks that a cond string is a well-formed @if(...) or @filter(...)
+// clause with balanced parentheses and no trailing content. This prevents DQL injection
+// via crafted cond values that close the parenthesized expression and append additional
+// query blocks.
+func validateCondValue(cond string) error {
+	cond = strings.TrimSpace(cond)
+	if cond == "" {
+		return nil
+	}
+
+	lower := strings.ToLower(cond)
+	if !strings.HasPrefix(lower, "@if(") && !strings.HasPrefix(lower, "@filter(") {
+		return errors.Errorf("invalid cond value: must start with @if( or @filter(")
+	}
+
+	openIdx := strings.Index(cond, "(")
+	if openIdx == -1 {
+		return errors.Errorf("invalid cond value: missing opening parenthesis")
+	}
+
+	depth := 0
+	inString := false
+	escaped := false
+	closingIdx := -1
+
+	for i := openIdx; i < len(cond); i++ {
+		ch := cond[i]
+		if escaped {
+			escaped = false
+			continue
+		}
+		if ch == '\\' {
+			escaped = true
+			continue
+		}
+		if ch == '"' {
+			inString = !inString
+			continue
+		}
+		if inString {
+			continue
+		}
+		if ch == '(' {
+			depth++
+		} else if ch == ')' {
+			depth--
+			if depth == 0 {
+				closingIdx = i
+				break
+			}
+		}
+	}
+
+	if closingIdx == -1 {
+		return errors.Errorf("invalid cond value: unbalanced parentheses")
+	}
+
+	trailing := strings.TrimSpace(cond[closingIdx+1:])
+	if trailing != "" {
+		return errors.Errorf("invalid cond value: unexpected content after condition")
+	}
+
+	return nil
+}
+
+// valVarRegexp matches a valid val(variableName) reference used in upsert mutations.
+var valVarRegexp = regexp.MustCompile(`^val\([a-zA-Z_][a-zA-Z0-9_.]*\)$`)
+
+// validateValObjectId checks that an ObjectId starting with "val(" is a well-formed
+// val(variableName) reference and contains no injected DQL syntax.
+func validateValObjectId(objectId string) error {
+	if !valVarRegexp.MatchString(objectId) {
+		return errors.Errorf("invalid val() reference in ObjectId: %q", objectId)
+	}
+	return nil
+}
+
+// langTagRegexp matches a valid BCP 47 language tag (letters, digits, hyphens).
+var langTagRegexp = regexp.MustCompile(`^[a-zA-Z]+(-[a-zA-Z0-9]+)*$`)
+
+// validateLangTag checks that a language tag contains only safe characters.
+func validateLangTag(lang string) error {
+	if lang == "" {
+		return nil
+	}
+	if !langTagRegexp.MatchString(lang) {
+		return errors.Errorf("invalid language tag: %q", lang)
+	}
+	return nil
+}
+
 // buildUpsertQuery modifies the query to evaluate the
 // @if condition defined in Conditional Upsert.
-func buildUpsertQuery(qc *queryContext) string {
+func buildUpsertQuery(qc *queryContext) (string, error) {
 	if qc.req.Query == "" || len(qc.gmuList) == 0 {
-		return qc.req.Query
+		return qc.req.Query, nil
 	}
 
 	qc.condVars = make([]string, len(qc.req.Mutations))
@@ -724,6 +816,10 @@ func buildUpsertQuery(qc *queryContext) string {
 	for i, gmu := range qc.gmuList {
 		isCondUpsert := strings.TrimSpace(gmu.Cond) != ""
 		if isCondUpsert {
+			if err := validateCondValue(gmu.Cond); err != nil {
+				return "", err
+			}
+
 			qc.condVars[i] = fmt.Sprintf("__dgraph_upsertcheck_%v__", strconv.Itoa(i))
 			qc.uidRes[qc.condVars[i]] = nil
 			// @if in upsert is same as @filter in the query
@@ -753,7 +849,7 @@ func buildUpsertQuery(qc *queryContext) string {
 	}
 
 	x.Check2(upsertQB.WriteString(`}`))
-	return upsertQB.String()
+	return upsertQB.String(), nil
 }
 
 // updateMutations updates the mutation and replaces uid(var) and val(var) with
@@ -1581,7 +1677,11 @@ func parseRequest(ctx context.Context, qc *queryContext) error {
 
 		qc.uidRes = make(map[string][]string)
 		qc.valRes = make(map[string]*types.ShardedMap)
-		upsertQuery = buildUpsertQuery(qc)
+		var err error
+		upsertQuery, err = buildUpsertQuery(qc)
+		if err != nil {
+			return err
+		}
 		needVars = findMutationVars(qc)
 		if upsertQuery == "" {
 			if len(needVars) > 0 {
@@ -1777,6 +1877,9 @@ func addQueryIfUnique(qctx context.Context, qc *queryContext) error {
 			// during the automatic serialization of a structure into JSON.
 			predicateName := fmt.Sprintf("<%v>", pred.Predicate)
 			if pred.Lang != "" {
+				if err := validateLangTag(pred.Lang); err != nil {
+					return err
+				}
 				predicateName = fmt.Sprintf("%v@%v", predicateName, pred.Lang)
 			}
 
@@ -1814,6 +1917,9 @@ func addQueryIfUnique(qctx context.Context, qc *queryContext) error {
 				}
 				qc.uniqueVars[uniqueVarMapKey] = uniquePredMeta{queryVar: queryVar}
 			} else {
+				if err := validateValObjectId(pred.ObjectId); err != nil {
+					return err
+				}
 				valQueryVar := fmt.Sprintf("__dgraph_uniquecheck_val_%v__", uniqueVarMapKey)
 				query := fmt.Sprintf(`%v as var(func: eq(%v,%v)){
 					                             uid