New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance security of the Complete message for GraphQL over WebSocket protocol #5531
Conversation
…rotocol Motivation: When constructing the `Complete` message in the GraphQL over WebSocket Protocol, appending a string directly to the ID can lead to malformed messages if the input is manipulated by the user. This vulnerability could potentially allow users to create arbitrary responses by inputting malformed IDs. Modification: - Serialize the `Complete` message using a map instead of concatenating strings directly. Result: - The `Complete` message in the GraphQL over WebSocket Protocol is now constructed securely.
8cea2b8
to
96a9a1e
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5531 +/- ##
============================================
- Coverage 74.04% 74.04% -0.01%
+ Complexity 20853 20852 -1
============================================
Files 1807 1807
Lines 76743 76762 +19
Branches 9789 9792 +3
============================================
+ Hits 56826 56838 +12
- Misses 15293 15300 +7
Partials 4624 4624 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 👍 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍👍
Motivation:
When constructing the
Complete
message in the GraphQL over WebSocket Protocol, appending a string directly to the ID can lead to malformed messages if the input is manipulated by the user. This vulnerability could potentially allow users to create arbitrary responses by inputting malformed IDs.Modification:
Complete
message using a map instead of concatenating strings directly.Result:
Complete
message in the GraphQL over WebSocket Protocol is now constructed securely.