Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.x]: False positives on GQL introspection query detection #15100

Closed
tremby opened this issue May 30, 2024 · 2 comments
Closed

[5.x]: False positives on GQL introspection query detection #15100

tremby opened this issue May 30, 2024 · 2 comments
Labels

Comments

@tremby
Copy link

tremby commented May 30, 2024

What happened?

Description

Any GQL query with the string __schema or __type in it, even if as part of other field names or type names or argument names or literal values or even a comment, is currently a signal to Craft that it's an introspection query, and this affects the validation logic.

Steps to reproduce

  1. Put a breakpoint or log near https://github.com/craftcms/cms/blob/5.x/src/services/Gql.php#L505

  2. Run a query which has the string __schema or __type. It can be in a comment. Something as simple as

    query { entries(limit: 1) {
      id # This is a comment. x__type__x
    } }

Expected behavior

Not treated as an introspection query.

Actual behavior

Treated as an introspection query.

Commentary

I have no idea how serious an issue this is. It's just something I noticed while looking at internals to figure out how the surrounding events can be used.

It looks from getValidationRules like complexity and depth rules will be ignored if Craft thinks it's an introspection query, and I would venture a guess that this could potentially cause issues where those features are in use.

Craft CMS version

5.x (tip at time of writing is 3824371)

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response

@brandonkelly
Copy link
Member

Thanks for reporting that! Fixed for the next Craft 4 and 5 releases.

@brandonkelly
Copy link
Member

Craft 4.9.6 and 5.1.8 are out now with that fix. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants