fix: Upgrade protobufjs and fix legacy key decoding in Datastore (#8088)

* fix: upgrade protobufjs and fix legacy key decoding

Upgrades protobufjs to ^7.5.5 to address security vulnerabilities.
Introduces a fix for legacy App Engine key decoding by explicitly calling
.setup() on Reference, Path, and Element types. This ensures that group
support (wire types 3 and 4) is correctly initialized in newer versions
of protobufjs, which is required for these legacy keys.

Fixes the "invalid wire type 4" error in unit tests.

Co-authored-by: danieljbruce <8935272+danieljbruce@users.noreply.github.com>

* fix: upgrade protobufjs and fix legacy key decoding

Upgrades protobufjs to ^7.5.5 to address security vulnerabilities (GHSA-xq3m-2v4x-88gg).
Resolves a functional regression in decoding legacy App Engine keys by
explicitly calling .setup() on Reference, Path, and Element types. This
forces the generation of optimized decoders that correctly support
proto2 groups, preventing "invalid wire type 4" errors.

Adds 10+ regression tests for legacyDecode covering various scenarios.

Co-authored-by: danieljbruce <8935272+danieljbruce@users.noreply.github.com>

* fix: upgrade protobufjs and fix legacy key decoding with inverse tests

Upgrades protobufjs to ^7.5.5 to address security vulnerabilities (GHSA-xq3m-2v4x-88gg).
Resolves a functional regression in decoding legacy App Engine keys by
explicitly calling .setup() on Reference, Path, and Element types. This
forces the generation of optimized decoders that correctly support
proto2 groups, preventing "invalid wire type 4" errors.

Adds 10+ regression tests for legacyDecode and updates all legacy key tests
to verify that legacyDecode and legacyEncode are inverses of each other.

Co-authored-by: danieljbruce <8935272+danieljbruce@users.noreply.github.com>

* Apply suggestion from @gemini-code-assist[bot]

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix: Upgrade protobufjs and fix legacy key decoding in Datastore

* Remove the as any cast

* Add a describe block for the encode/decode tests

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: danieljbruce <8935272+danieljbruce@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 3 people

handwritten/datastore/package.json

@@ -52,7 +52,7 @@
     "extend": "^3.0.2",
     "google-gax": "^5.0.2-rc.1",
     "is": "^3.3.0",
-    "protobufjs": "7.4.0",
+    "protobufjs": "^7.5.5",
     "split-array-stream": "^2.0.0",
     "stream-events": "^1.0.5"
   },

handwritten/datastore/src/entity.ts

@@ -1302,6 +1302,14 @@ export namespace entity {
         path.join(__dirname, '..', 'protos', 'app_engine_key.proto'),
       );
       loadedRoot.resolveAll();
+
+      // Ensure all types are initialized and setup correctly.
+      // In newer versions of protobufjs, this ensures group support
+      // is preserved for legacy keys.
+      for (const typeName of ['Reference', 'Path', 'Element']) {
+        loadedRoot.lookupType(typeName).setup();
+      }
+
       return loadedRoot.nested;
     }
 

handwritten/datastore/test/entity.ts

@@ -1800,6 +1800,10 @@ describe('entity', () => {
         const key = urlSafeKey.legacyDecode(encodedKey);
         assert.strictEqual(key.namespace, 'NS');
         assert.deepStrictEqual(key.path, ['Task', 'sampletask1']);
+        assert.strictEqual(
+          urlSafeKey.legacyEncode(PROJECT_ID, key, LOCATION_PREFIX),
+          encodedKey,
+        );
       });
 
       it('should decode key with single path element string type', () => {
@@ -1808,6 +1812,10 @@ describe('entity', () => {
         const key = urlSafeKey.legacyDecode(encodedKey);
         assert.strictEqual(key.namespace, undefined);
         assert.deepStrictEqual(key.path, ['Task', 'sampletask1']);
+        assert.strictEqual(
+          urlSafeKey.legacyEncode(PROJECT_ID, key),
+          encodedKey,
+        );
       });
 
       it('should decode key with single path element long int type', () => {
@@ -1816,6 +1824,10 @@ describe('entity', () => {
         const key = urlSafeKey.legacyDecode(encodedKey);
         assert.strictEqual(key.namespace, undefined);
         assert.deepStrictEqual(key.path, ['Task', '5754248394440704']);
+        assert.strictEqual(
+          urlSafeKey.legacyEncode(PROJECT_ID, key, LOCATION_PREFIX),
+          encodedKey,
+        );
       });
 
       it('should decode key with parent path', () => {
@@ -1831,6 +1843,69 @@ describe('entity', () => {
         ]);
         assert.strictEqual(key.parent!.name, 'sampletask1');
         assert.deepStrictEqual(key.parent!.path, ['Task', 'sampletask1']);
+        assert.strictEqual(
+          urlSafeKey.legacyEncode(PROJECT_ID, key, LOCATION_PREFIX),
+          encodedKey,
+        );
+      });
+
+      describe('should ensure that decode inverses encode and decoding is correct', () => {
+        const TEST_PROJECT = 'test-project';
+        const testCases = [
+          {name: 'numeric ID', path: ['Kind', '123']},
+          {name: 'string name with spaces', path: ['Kind', 'name with spaces']},
+          {name: 'special characters', path: ['Kind', 'special!@#$%^&*()']},
+          {
+            name: '3-level parent',
+            path: ['Grandparent', '1', 'Parent', 'p1', 'Child', '2'],
+          },
+          {
+            name: 'namespace and numeric ID',
+            path: ['Kind', '456'],
+            namespace: 'MyNS',
+          },
+          {
+            name: 'namespace and parent',
+            path: ['Parent', '1', 'Child', 'c1'],
+            namespace: 'MyNS',
+          },
+          {
+            name: 'long integer ID as string',
+            path: ['Kind', '9223372036854775807'],
+          },
+          {name: 'kind with hyphens', path: ['My-Kind', '1']},
+          {
+            name: 'different kinds in path',
+            path: ['User', 'user1', 'Post', '100', 'Comment', 'c1'],
+          },
+          {
+            name: 'same kinds in path',
+            path: ['Node', '1', 'Node', '2', 'Node', '3'],
+          },
+        ];
+
+        testCases.forEach(tc => {
+          it(`should decode and re-encode ${tc.name} correctly`, () => {
+            const key = new testEntity.Key({
+              path: tc.path,
+              namespace: tc.namespace,
+            });
+            const encoded = urlSafeKey.legacyEncode(
+              TEST_PROJECT,
+              key,
+              LOCATION_PREFIX,
+            );
+            const decoded = urlSafeKey.legacyDecode(encoded);
+            assert.strictEqual(decoded.namespace, tc.namespace);
+            assert.deepStrictEqual(decoded.path, tc.path);
+            const reEncoded = urlSafeKey.legacyEncode(
+              TEST_PROJECT,
+              decoded,
+              LOCATION_PREFIX,
+            );
+            assert.strictEqual(reEncoded, encoded);
+          });
+        });
       });
     });
   });