graphql icon indicating copy to clipboard operation
graphql copied to clipboard

Published 20 hours ago verified publisher icon graphql-go

Lexer - Possibility to pass invalid characters eg: (null byte)

Open mimol91 opened this issue 4 years ago • 0 comments

Even tho lexer check if input data do not contains some invalid characters https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L235 It is possible to use them - Just by sending them as "plain text" For example: inputString "ABC\u0041" instead of being interpreted as "ABC\u0041" is changed to "ABCA"

Example code:

func TestReadString(t *testing.T) {
	input := `mutation{
  requestRefund(input:{
  clientMutationId:"2"
    nr:"6849905030\u0041"
  }){
    clientMutationId
  }
}`

	inputSource := source.Source{Body: []byte(input)}
	token, _ := readToken(source.NewSource(&inputSource), 64)

	if token.Value != `6849905030\u0041` {
		t.Fatal("token incorrect")
	}
}

https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L281 Probably it require this same check as here https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L235

mimol91 avatar Feb 04 '21 08:02 mimol91