fix(deno/booking-api): enforce UUID v4 in BOOKING_ID_REGEX

Author: gxjx-x

deno/booking-api/postgres-js/handlers.ts

@@ -34,11 +34,14 @@ import type { Sql } from "./db.ts";
 const MAX_JSON_BODY_BYTES = 16 * 1024;
 
 /**
- * Strict UUID v4 (RFC 4122) path regex for booking IDs. Matching upstream
- * returns 404 for obviously malformed IDs without reaching the DB layer.
+ * Strict UUID v4 (RFC 4122) path regex for booking IDs. Enforces the v4
+ * version nibble (third group starts with `4`) and variant nibble (fourth
+ * group starts with `8`, `9`, `a`, or `b`). Aurora DSQL's
+ * `gen_random_uuid()` emits v4, so valid booking IDs always match; matching
+ * upstream returns 404 for malformed IDs without reaching the DB layer.
  */
 const BOOKING_ID_REGEX =
-  /^\/bookings\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+  /^\/bookings\/[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 
 // ---------------------------------------------------------------------------
 // Types

deno/booking-api/postgres-js/router.property.test.ts

@@ -49,9 +49,11 @@ const VALID_ENDPOINTS = [
 const ALL_METHODS = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"];
 
 /**
- * Generates a valid UUID-like booking ID for parameterized routes.
+ * Generates a valid UUID v4 booking ID for parameterized routes. Constrained
+ * to v4 because `handlers.ts` BOOKING_ID_REGEX only accepts v4 (matching
+ * what Aurora DSQL's `gen_random_uuid()` emits).
  */
-const bookingIdArb = fc.uuid();
+const bookingIdArb = fc.uuid({ version: 4 });
 
 /**
  * Generates a random path that does NOT match any booking endpoint.
@@ -161,6 +163,41 @@ Deno.test("property: wrong method on valid path returns 404", async () => {
   );
 });
 
+Deno.test("property: non-v4 UUID shapes on /bookings/:id return 404", async () => {
+  // The router's BOOKING_ID_REGEX enforces UUID v4 (third group starts with
+  // `4`, fourth with `[89ab]`). Aurora DSQL's gen_random_uuid() always emits
+  // v4, so anything else is malformed input and is rejected upstream without
+  // touching the DB. This property covers v1/v3/v5 and the NIL UUID.
+  const nonV4UuidArb = fc.oneof(
+    fc.uuid({ version: 1 }),
+    fc.uuid({ version: 3 }),
+    fc.uuid({ version: 5 }),
+    fc.constant("00000000-0000-0000-0000-000000000000"),
+  );
+
+  await fc.assert(
+    fc.asyncProperty(
+      fc.constantFrom("GET", "PUT", "DELETE"),
+      nonV4UuidArb,
+      async (method, id) => {
+        const opts: RequestInit = { method };
+        if (method === "PUT") {
+          opts.body = JSON.stringify({ booked_by: "test" });
+          opts.headers = { "Content-Type": "application/json" };
+        }
+
+        const req = new Request(`http://localhost:8000/bookings/${id}`, opts);
+        const res = await handleRequest(req, CTX);
+        assertEquals(res.status, 404);
+
+        const body = await res.json();
+        assertEquals(body.error, "Not Found");
+      },
+    ),
+    { numRuns: 50 },
+  );
+});
+
 Deno.test("property: jsonResponse always produces valid JSON with correct content-type", () => {
   fc.assert(
     fc.property(

deno/booking-api/postgres-js/validation.property.test.ts

@@ -83,9 +83,11 @@ Deno.test("property: POST /bookings rejects malformed JSON with 400", async () =
 });
 
 Deno.test("property: PUT /bookings/:id rejects malformed JSON with 400", async () => {
-  // Use a well-formed UUID so the router dispatches to updateBooking;
-  // the body parser then rejects malformed JSON with HTTP 400.
-  const validUuid = "00000000-0000-0000-0000-000000000000";
+  // Use a well-formed UUID v4 so the router dispatches to updateBooking;
+  // the body parser then rejects malformed JSON with HTTP 400. The third
+  // group starts with `4` (version) and the fourth with `8` (variant) to
+  // satisfy BOOKING_ID_REGEX in handlers.ts.
+  const validUuid = "00000000-0000-4000-8000-000000000000";
   await fc.assert(
     fc.asyncProperty(nonJsonStringArb, async (badBody) => {
       const req = new Request(