-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance GraphQL request body checks to prevent 500 Error #726
Comments
spring-projects-issues
added
the
status: waiting-for-triage
An issue we've not yet triaged
label
Jun 19, 2023
rstoyanchev
added
type: enhancement
A general enhancement
and removed
status: waiting-for-triage
An issue we've not yet triaged
labels
Jun 20, 2023
rstoyanchev
changed the title
Validate GraphQL request bodies to prevent 500 Internal Server Error
Enhance GraphQL request body checks to prevent 500 Error
Jun 20, 2023
There is a fix for 1.2.1, also backported to 1.1.5 with #733. Both are due today. |
@rstoyanchev did you mean 1.1.5? |
@rstoyanchev Darn. I upgraded to 1.1.5, but I think it depends on Java 17
My org is stuck on Java 11 right now for reasons outside my control. I was hoping that Java 17/Spring Framework 6.0 corresponded to Spring-GraphQL 1.2.x |
We can backport this to 1.0.x as well. I've created #735. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An automated scanning tool at my organization found that when the request body is not well-formed, Spring GraphQL (tested v. 1.0.4) generates
500 Internal Server Error
where400 Bad Request
is expected.Consider the following example request:
Obviously
variables
should be an object, not a string. One would expect this request to product a400 Bad Request
messsage, but instead the server returns500 Internal Server Error
:Stack trace:
The error occurs when
WebGraphQLRequest
extracts thevariables
key of the request via<T> T getKey(String key, Map<String, Object> body)
.Only the presence of the key is checked, not its type.
getKey()
could expect aParameterizedTypeReference<T>
of the expected type, or the caller could use a library like Jackson to reinterpret the request body into a class with known-type keys.As it stands, I'm looking at writing a custom filter to detect and validate GraphQL requests, but it seems like something that would be better done inside the library.
The text was updated successfully, but these errors were encountered: