-
-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DocumentNode, AST in Helper #725
Conversation
Co-authored-by: Benedikt Franke <benedikt@franke.tech>
Co-authored-by: Benedikt Franke <benedikt@franke.tech>
Co-authored-by: Benedikt Franke <benedikt@franke.tech>
@spawnia Any idea what's going on with some of those checks in the matrix? A few of them fail, but I don't see any information on the details page; it just says "This check failed": https://github.com/webonyx/graphql-php/pull/725/checks?check_run_id=1097480255 Something to do with exercising different executors? I couldn't figure out how to switch them around in my local environment; I tried setting the "executor" env var to "coroutine", but I don't see any calls to |
might be github status issue 🤔 |
Oh, hey @simPod, haven't seen you around in a while! You think something is awry on Github's end? |
hi @shmax :P been busy with some personal things lately. I tried to retrigger here and all passes https://github.com/simPod/graphql-php/actions/runs/249356988 so must be github. I restarted ur checks. |
I guess you've got the magic touch! Thanks very much. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me in general (as I mentioned in the original issue). One concern I have is security. AST::fromArray
was originally implemented for "safe" usage scenarios (like persisting AST on disk and then reading back).
I don't feel confident enough to expose it out of the box as we don't know how it will behave with malicious inputs.
So what we need with this PR:
-
Make this feature opt-in and only in the
StandardServer
(should not be added toGraphQL
facade - we can document how to convert an array to DocumentNode for those who really needs it) -
Do some kind of security audit for
AST::fromArray
and probably add tests for various malicious and invalid inputs.
Eh, I'm going to pass. I don't have time to be run through the wringer over this. I've already removed |
I understand. But if you use this |
Well, never say never, but I use persisted queries, so in my particular case there are no queries being formed on the client side and in principle there should be no risk. |
Fix for #279
Recently I've started experimenting with graphql-tag. It's a node package popular with users of apollographql that does the parsing of graphql queries in the js layer (mainly so that Apollo can do merging and other operations on the AST, which is difficult on a string query).
As noted in issue #279, this library does not directly support an AST structure. I'm aware that you can doctor the incoming request using
AST::fromArray
before passing it to\GraphQL\GraphQL::executeQuery
, but my original client code was usingStandardServer
and this does not expose any hook where this kind of preprocessing can happen.So, in this PR I add knowledge of both
DocumentNode
and array representations of AST toHelper
.I'll wait for the green light before adding tests.
edit: note that I didn't actually change anything in theAdded the functionality.GraphQL::executeQuery
entry point; wasn't sure how much push back I'm going to get on this, but I'm happy to modify it as well if anyone wants it.