Enhance request body check

Closes gh-726
This commit is contained in:
rstoyanchev
2023-06-20 08:00:26 +01:00
parent 9ff1691462
commit 1406ca2218
2 changed files with 81 additions and 7 deletions

View File

@@ -84,8 +84,7 @@ public class WebGraphQlRequest extends DefaultExecutionGraphQlRequest implements
URI uri, HttpHeaders headers, @Nullable MultiValueMap<String, HttpCookie> cookies,
Map<String, Object> attributes, Map<String, Object> body, String id, @Nullable Locale locale) {
super(getKey("query", body), getKey("operationName", body), getKey("variables", body),
getKey("extensions", body), id, locale);
super(getQuery(body), getOperation(body), getMap("variables", body), getMap("extensions", body), id, locale);
Assert.notNull(uri, "URI is required'");
Assert.notNull(headers, "HttpHeaders is required'");
@@ -96,12 +95,31 @@ public class WebGraphQlRequest extends DefaultExecutionGraphQlRequest implements
this.attributes = Collections.unmodifiableMap(attributes);
}
@SuppressWarnings("unchecked")
private static <T> T getKey(String key, Map<String, Object> body) {
if (key.equals("query") && !StringUtils.hasText((String) body.get(key))) {
throw new ServerWebInputException("No \"query\" in the request document");
private static String getQuery(Map<String, Object> body) {
Object value = body.get("query");
if (!(value instanceof String query) || !StringUtils.hasText(query)) {
throw new ServerWebInputException("Invalid value for 'query'");
}
return (T) body.get(key);
return (String) value;
}
@Nullable
private static String getOperation(Map<String, Object> body) {
Object value = body.get("operation");
if (value != null && !(value instanceof String)) {
throw new ServerWebInputException("Invalid value for 'operation'");
}
return (String) value;
}
@SuppressWarnings("unchecked")
@Nullable
private static Map<String, Object> getMap(String key, Map<String, Object> body) {
Object value = body.get(key);
if (value != null && !(value instanceof Map)) {
throw new ServerWebInputException("Invalid value for '" + key + "'");
}
return (Map<String, Object>) value;
}

View File

@@ -0,0 +1,56 @@
/*
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.graphql.server;
import java.net.URI;
import java.util.Collections;
import java.util.Map;
import org.junit.jupiter.api.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.server.ServerWebInputException;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/**
* Unit tests for {@link WebGraphQlRequest}.
*
* @author Rossen Stoyanchev
*/
public class WebGraphQlRequestTests {
@Test // gh-726
void invalidBody() {
testInvalidBody(Map.of());
testInvalidBody(Map.of("query", Collections.emptyMap()));
testInvalidBody(Map.of("query", "query { foo }", "operation", Collections.emptyMap()));
testInvalidBody(Map.of("query", "query { foo }", "variables", "not-a-map"));
testInvalidBody(Map.of("query", "query { foo }", "extensions", "not-a-map"));
}
private void testInvalidBody(Map<String, Object> body) {
assertThatThrownBy(() ->
new WebGraphQlRequest(
URI.create("/graphql"), new HttpHeaders(), new LinkedMultiValueMap<>(),
Collections.emptyMap(), body, "1", null))
.isInstanceOf(ServerWebInputException.class);
}
}