[TT-8944]: Fix: handle unsanitized json in variables (#357)

handle unsanitized json in variables
TykTechnologies · Jun 19, 2023 · 55d8756 · 55d8756
1 parent 39861fe
commit 55d8756
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/pkg/variablevalidator/variablevalidator.go b/pkg/variablevalidator/variablevalidator.go
@@ -55,7 +55,16 @@ func (v *validatorVisitor) EnterVariableDefinition(ref int) {
 
 	variableName := v.operation.VariableDefinitionNameBytes(ref)
 	variable, t, _, err := jsonparser.Get(v.variables, string(variableName))
-	if t == jsonparser.NotExist && v.operation.TypeIsNonNull(typeRef) {
+	typeIsNonNull := v.operation.TypeIsNonNull(typeRef)
+	if err != nil && typeIsNonNull {
+		v.StopWithExternalErr(operationreport.ErrVariableNotProvided(variableName, v.operation.VariableDefinitions[ref].VariableValue.Position))
+		return
+	}
+	// if the type is nullable and an error is encountered parsing the JSON, keep processing the request and skip this variable validation
+	if err != nil && !typeIsNonNull {
+		return
+	}
+	if err == jsonparser.KeyPathNotFoundError || err == jsonparser.MalformedJsonError {
 		v.StopWithExternalErr(operationreport.ErrVariableNotProvided(variableName, v.operation.VariableDefinitions[ref].VariableValue.Position))
 		return
 	}

diff --git a/pkg/variablevalidator/variablevalidator_test.go b/pkg/variablevalidator/variablevalidator_test.go
@@ -30,6 +30,13 @@ query testQuery($code: ID!){
   simpleQuery(code: $code)
 }
 `
+
+	testQueryNonNullInput = `
+query testQuery($code: ID){
+  simpleQuery(code: $code)
+}
+`
+
 	testQueryInt = `
 query testQuery($code: Int!){
   inputOfInt(code: $code)
@@ -99,6 +106,17 @@ func TestVariableValidator(t *testing.T) {
 			operationName: "testMutation",
 			variables:     `{"in":{"requiredField":"test"}}`,
 		},
+		{
+			name:          "invalid variable json",
+			operation:     testQuery,
+			variables:     `"\n            {\"code\":{\"code\":{\"in\":[\"PL\",\"UA\"],\"extra\":\"koza\"}}}\n        "`,
+			expectedError: `Required variable "$code" was not provided`,
+		},
+		{
+			name:      "invalid variable json non null input",
+			operation: testQueryNonNullInput,
+			variables: `"\n            {\"code\":{\"code\":{\"in\":[\"PL\",\"UA\"],\"extra\":\"koza\"}}}\n        "`,
+		},
 	}
 	for _, c := range testCases {
 		t.Run(c.name, func(t *testing.T) {