arangodb
diff --git a/‎CHANGELOG
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG
Lines changed: 9 additions & 0 deletions
diff --git a/‎arangod/Aql/ExecutionPlan.cpp
Lines changed: 12 additions & 0 deletions b/‎arangod/Aql/ExecutionPlan.cpp
Lines changed: 12 additions & 0 deletions
diff --git a/‎arangod/Aql/Expression.cpp
Lines changed: 28 additions & 0 deletions b/‎arangod/Aql/Expression.cpp
Lines changed: 28 additions & 0 deletions
diff --git a/‎arangod/Aql/Expression.h
Lines changed: 3 additions & 0 deletions b/‎arangod/Aql/Expression.h
Lines changed: 3 additions & 0 deletions
diff --git a/‎tests/js/common/aql/aql-prune-expressions.js
Lines changed: 108 additions & 0 deletions b/‎tests/js/common/aql/aql-prune-expressions.js
Lines changed: 108 additions & 0 deletions
@@ -1,6 +1,15 @@
 v3.8.9 (XXXX-XX-XX)
 -------------------
 
+* Fixed issue #17291: Server crash on error in the PRUNE expression.
+  Traversal PRUNE expressions containing JavaScript user-defined functions
+  (UDFs) are now properly rejected in single server and cluster mode.
+  PRUNE expressions that use UDFs require a V8 context for execution, which is
+  not available on DB-servers in a cluster, and also isn't necessarily available
+  for regular queries on single servers (a V8 context is only available if a
+  query was executed inside Foxx or from inside a JS transaction, but not
+  otherwise).
+
 * Updated OpenSSL to 1.1.1s.
 
 * Solve a case of excessive memory consumption in certain AQL queries with IN
 
@@ -1191,6 +1191,18 @@ ExecutionNode* ExecutionPlan::fromNodeTraversal(ExecutionNode* previous, AstNode
   std::unique_ptr<Expression> pruneExpression =
       createPruneExpression(this, _ast, node->getMember(3));
 
+  std::string errorReason;
+  if (pruneExpression != nullptr &&
+      !pruneExpression->canBeUsedInPrune(_ast->query().vocbase().isOneShard(),
+                                         errorReason)) {
+    // PRUNE is designed to be executed inside a DBServer. Therefore, we need a
+    // check here and abort in cases which are just not allowed, e.g. execution
+    // of user defined JavaScript method or V8 based methods.
+    THROW_ARANGO_EXCEPTION_MESSAGE(
+        TRI_ERROR_QUERY_PARSE,
+        std::string("Invalid PRUNE expression: ") + errorReason);
+  }
+
   auto options =
       createTraversalOptions(getAst(), direction, node->getMember(4));
 
 
@@ -43,6 +43,7 @@
 #include "Basics/StringBuffer.h"
 #include "Basics/VPackStringBufferAdapter.h"
 #include "Basics/VelocyPackHelper.h"
+#include "Cluster/ServerState.h"
 #include "Transaction/Context.h"
 #include "Transaction/Helpers.h"
 #include "Transaction/Methods.h"
@@ -930,6 +931,15 @@ AqlValue Expression::invokeV8Function(ExpressionContext* expressionContext,
 /// @brief execute an expression of type SIMPLE, JavaScript variant
 AqlValue Expression::executeSimpleExpressionFCallJS(AstNode const* node,
                                                     bool& mustDestroy) {
+  if (ServerState::instance()->isDBServer()) {
+    // we actually should not get here, but in case we do due to some changes,
+    // it is better to abort the query with a proper error rather than crashing
+    // with assertion failure or segfault.
+    THROW_ARANGO_EXCEPTION_MESSAGE(
+        TRI_ERROR_NOT_IMPLEMENTED,
+        "user-defined functions cannot be executed on DB-Servers");
+  }
+
   auto member = node->getMemberUnchecked(0);
   TRI_ASSERT(member->type == NODE_TYPE_ARRAY);
 
@@ -1704,6 +1714,24 @@ bool Expression::willUseV8() {
   return (_type == SIMPLE && _node->willUseV8());
 }
 
+bool Expression::canBeUsedInPrune(bool isOneShard, std::string& errorReason) {
+  errorReason.clear();
+
+  if (willUseV8()) {
+    errorReason = "JavaScript expressions cannot be used inside PRUNE";
+    return false;
+  }
+  if (!canRunOnDBServer(isOneShard)) {
+    errorReason =
+        "PRUNE expression contains a function that cannot be used on "
+        "DB-Servers";
+    return false;
+  }
+
+  TRI_ASSERT(errorReason.empty());
+  return true;
+}
+
 std::unique_ptr<Expression> Expression::clone(Ast* ast, bool deepCopy) {
   // We do not need to copy the _ast, since it is managed by the
   // query object and the memory management of the ASTs
 
@@ -100,6 +100,9 @@ class Expression {
   /// @brief whether or not the expression will use V8
   bool willUseV8();
 
+  /// @brief whether or not the expression can be used inside a PRUNE statement
+  bool canBeUsedInPrune(bool isOneShard, std::string& errorReason);
+
   /// @brief clone the expression, needed to clone execution plans
   std::unique_ptr<Expression> clone(Ast* ast, bool deepCopy = false);
 
 
@@ -0,0 +1,108 @@
+/*jshint globalstrict:false, strict:false, maxlen: 500 */
+/*global AQL_EXPLAIN, assertEqual, fail */
+
+////////////////////////////////////////////////////////////////////////////////
+/// @brief tests for traversal optimization
+///
+/// DISCLAIMER
+///
+/// Copyright 2010-2014 triagens GmbH, Cologne, Germany
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     http://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+///
+/// Copyright holder is triAGENS GmbH, Cologne, Germany
+///
+/// @author Jan Steemann
+/// @author Copyright 2020, triAGENS GmbH, Cologne, Germany
+////////////////////////////////////////////////////////////////////////////////
+
+const jsunity = require("jsunity");
+const db = require("@arangodb").db;
+const internal = require("internal");
+const errors = internal.errors;
+  
+function PruneExpressionsSuite() {
+  const vn = "UnitTestsVertex";
+  const en = "UnitTestsEdge";
+  const udf = "test::fuchs";
+
+  let cleanup = function () {
+    db._drop(en);
+    db._drop(vn);
+
+    try {
+      require("@arangodb/aql/functions").unregister(udf);
+    } catch (err) {}
+  };
+
+  return {
+    setUpAll : function () {
+      cleanup();
+    
+      require("@arangodb/aql/functions").register(udf, function() { return '0'; });
+      
+      db._create(vn, { numberOfShards: 1 });
+      db._createEdgeCollection(en, { distributeShardsLike: vn, numberOfShards: 1 });
+
+      db[vn].insert({ _key: "test1", value: 1 });
+      db[vn].insert({ _key: "test2", value: 2 });
+      db[vn].insert({ _key: "test3", value: 3 });
+
+      db[en].insert({ _from: vn + "/test1", _to: vn + "/test2", value: 1 });
+      db[en].insert({ _from: vn + "/test2", _to: vn + "/test3", value: 0 });
+    },
+    
+    tearDownAll : function () {
+      cleanup();
+    },
+
+    testAllowedExpression: function () {
+      let q = `WITH ${vn} FOR v, e, p IN 1..3 OUTBOUND '${vn}/test1' ${en} PRUNE e.value == '0' RETURN v`;
+      let res = db._query(q).toArray();
+      assertEqual(2, res.length);
+    },
+
+    testV8Expression: function () {
+      let q = `WITH ${vn} FOR v, e, p IN 1..3 OUTBOUND '${vn}/test1' ${en} PRUNE e.value == V8('0') RETURN v`;
+      try {
+        db._query(q);
+        fail();
+      } catch (err) {
+        assertEqual(err.errorNum, errors.ERROR_QUERY_PARSE.code);
+      }
+    },
+    
+    testUDFExpression: function () {
+      let q = `WITH ${vn} FOR v, e, p IN 1..3 OUTBOUND '${vn}/test1' ${en} PRUNE e.value == ${udf}() RETURN v`;
+      try {
+        db._query(q);
+        fail();
+      } catch (err) {
+        assertEqual(err.errorNum, errors.ERROR_QUERY_PARSE.code);
+      }
+    },
+    
+    testSubqueryExpression: function () {
+      let q = `WITH ${vn} FOR v, e, p IN 1..3 OUTBOUND '${vn}/test1' ${en} PRUNE e.value == (FOR i IN 1..1 RETURN '0') RETURN v`;
+      try {
+        db._query(q);
+        fail();
+      } catch (err) {
+        assertEqual(err.errorNum, errors.ERROR_QUERY_PARSE.code);
+      }
+    },
+  };
+}
+
+jsunity.run(PruneExpressionsSuite);
+return jsunity.done();