Prevent incorrect result merging when aliasing __typename or id. (#…

…10789)
apollographql · May 9, 2023 · 23a4e15 · sordev · Feb 8, 2024 · phryneas
1 parent f247c7d
commit 23a4e15
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 5 deletions.
diff --git a/.changeset/forty-zebras-smash.md b/.changeset/forty-zebras-smash.md
@@ -0,0 +1,5 @@
+---
+"@apollo/client": patch
+---
+
+Fix a bug where other fields could be aliased to `__typename` or `id`, in which case an incoming result would be merged into the wrong cache entry.
diff --git a/src/cache/inmemory/__tests__/writeToStore.ts b/src/cache/inmemory/__tests__/writeToStore.ts
@@ -3784,4 +3784,77 @@ describe('writing to the store', () => {
       });
     });
   });
+
+  test("prevent that a crafted query can overwrite Post:1 with what should be User:5", () => {
+    const postFragment = gql`
+      fragment PostFragment on Post {
+        id
+        title
+      }
+    `;
+
+    const cache = new InMemoryCache();
+    cache.writeFragment({
+      fragment: postFragment,
+      data: {
+        __typename: "Post",
+        id: "1",
+        title: "Hello",
+      },
+    });
+
+    expect(cache.extract()["Post:1"]).toMatchInlineSnapshot(`
+      Object {
+        "__typename": "Post",
+        "id": "1",
+        "title": "Hello",
+      }
+    `);
+
+    const injectingQuery = gql`
+      query ($id: String) {
+        user(id: $id) {
+          __typename: firstName
+          id: lastName
+          title
+          ignore: __typename
+          ignore2: id
+        }
+      }
+    `;
+    cache.write({
+      query: injectingQuery,
+      variables: { id: 5 },
+      dataId: "ROOT_QUERY",
+      result: {
+        user: {
+          __typename: "Post",
+          id: "1",
+          title: "Incorrect!",
+          ignore: "User",
+          ignore2: "5",
+        },
+      },
+    });
+
+    expect(cache.extract()["Post:1"]).toMatchInlineSnapshot(`
+      Object {
+        "__typename": "Post",
+        "id": "1",
+        "title": "Hello",
+      }
+    `);
+
+
+    expect(cache.extract()["User:5"]).toMatchInlineSnapshot(`
+      Object {
+        "__typename": "User",
+        "firstName": "Post",
+        "id": "5",
+        "lastName": "1",
+        "title": "Incorrect!",
+      }
+    `);
+  });
+
 });
diff --git a/src/cache/inmemory/policies.ts b/src/cache/inmemory/policies.ts
@@ -382,7 +382,7 @@ export class Policies {
     const policy = typename && this.getTypePolicy(typename);
     let keyFn = policy && policy.keyFn || this.config.dataIdFromObject;
     while (keyFn) {
-      const specifierOrId = keyFn(object, context);
+      const specifierOrId = keyFn({...object, ...storeObject}, context);
       if (isArray(specifierOrId)) {
         keyFn = keyFieldsFnFromSpecifier(specifierOrId);
       } else {

diff --git a/src/utilities/graphql/storeUtils.ts b/src/utilities/graphql/storeUtils.ts
@@ -18,6 +18,7 @@ import {
   NameNode,
   SelectionSetNode,
   DocumentNode,
+  FragmentSpreadNode,
 } from 'graphql';
 
 import { isNonNullObject } from '../common/objects';
@@ -289,16 +290,23 @@ export function getTypenameFromResult(
   selectionSet: SelectionSetNode,
   fragmentMap?: FragmentMap,
 ): string | undefined {
-  if (typeof result.__typename === 'string') {
-    return result.__typename;
-  }
-
+  let fragments: undefined | Array<InlineFragmentNode | FragmentSpreadNode>;
   for (const selection of selectionSet.selections) {
     if (isField(selection)) {
       if (selection.name.value === '__typename') {
         return result[resultKeyNameFromField(selection)];
       }
+    } else if (fragments) {
+      fragments.push(selection);
     } else {
+      fragments = [selection];
+    }
+  }
+  if (typeof result.__typename === 'string') {
+    return result.__typename;
+  }
+  if (fragments) {
+    for (const selection of fragments) {
       const typename = getTypenameFromResult(
         result,
         getFragmentFromSelection(selection, fragmentMap)!.selectionSet,