You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Any GQL query with the string __schema or __type in it, even if as part of other field names or type names or argument names or literal values or even a comment, is currently a signal to Craft that it's an introspection query, and this affects the validation logic.
Run a query which has the string __schema or __type. It can be in a comment. Something as simple as
query { entries(limit: 1) {
id # This is a comment. x__type__x
} }
Expected behavior
Not treated as an introspection query.
Actual behavior
Treated as an introspection query.
Commentary
I have no idea how serious an issue this is. It's just something I noticed while looking at internals to figure out how the surrounding events can be used.
It looks from getValidationRules like complexity and depth rules will be ignored if Craft thinks it's an introspection query, and I would venture a guess that this could potentially cause issues where those features are in use.
What happened?
Description
Any GQL query with the string
__schema
or__type
in it, even if as part of other field names or type names or argument names or literal values or even a comment, is currently a signal to Craft that it's an introspection query, and this affects the validation logic.Steps to reproduce
Put a breakpoint or log near https://github.com/craftcms/cms/blob/5.x/src/services/Gql.php#L505
Run a query which has the string
__schema
or__type
. It can be in a comment. Something as simple asExpected behavior
Not treated as an introspection query.
Actual behavior
Treated as an introspection query.
Commentary
I have no idea how serious an issue this is. It's just something I noticed while looking at internals to figure out how the surrounding events can be used.
It looks from
getValidationRules
like complexity and depth rules will be ignored if Craft thinks it's an introspection query, and I would venture a guess that this could potentially cause issues where those features are in use.Craft CMS version
5.x (tip at time of writing is 3824371)
PHP version
No response
Operating system and version
No response
Database type and version
No response
Image driver and version
No response
Installed plugins and versions
No response
The text was updated successfully, but these errors were encountered: