GithubHelp home page GithubHelp logo

Comments (6)

gr2m avatar gr2m commented on August 25, 2024

Thanks Teddy, I’ll look into it

from graphql.js.

gr2m avatar gr2m commented on August 25, 2024

This is very interesting, thanks again for raising the issue! I haven’t worked with tagged templates yet, I’ll see how the escaping / replacement with variables could work. If I understand correctly we want

  1. Prevent template literals outside of parameters by escaping them
  2. Replace template literals used in parameters with variables

I like the graphql(query, options) api as it works similar to request(route, options), I’d like to keep that. But I could imagine to expose a graphql.query function which could be a template tag function and only allow the result of that to be passed as a query in the request.

Such a GraphQL query parsing function sounds like a good utility that would be useful in general, are you aware if it already exists? If not it would be cool to build it independent of octokit I think, wanna collaborate on that? I know https://www.npmjs.com/package/graphql-tag but we don’t want to work with ASTs

from graphql.js.

gr2m avatar gr2m commented on August 25, 2024

Does that look good?

example 1

const repoId = 123
const result = query`
  mutation {
    addStar(input: {clientMutationId: "x", starrableId: "${repoId}"}) {
      clientMutationId
    }
  }
`

result would now be

{
  query: 'mutation {\n    addStar(input: {clientMutationId: "x", starrableId: "$starrableId"}) {\n      clientMutationId\n    }\n  }',
  variables: {
    starrableId: 123
  }
}

example 2

const fields = ['login', 'bio']
const result = query`
  {
    viewer {
      ${fields.join('\n')}
    }
  }
`

Throws an error

Error: literals not allowed outside of parameters

from graphql.js.

gr2m avatar gr2m commented on August 25, 2024

people might still want to construct dynamic queries, we could provide some workaround that makes clear that what they do has the danger of query injections

from graphql.js.

not-an-aardvark avatar not-an-aardvark commented on August 25, 2024

Sounds good to me.

from graphql.js.

gr2m avatar gr2m commented on August 25, 2024

I've added a note to the README referencing this issue. I have decided not going to change the API. Thanks for making me aware of the potential injection attack and for bearing with me :)

from graphql.js.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.