Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] get queries did not run through validation #424

Merged
merged 5 commits into from
Jun 13, 2017

Conversation

DxCx
Copy link
Contributor

@DxCx DxCx commented Jun 12, 2017

hi @helfer
i was trying out your graphql-disable-introspection module,
and then got into debug session why it's not working to find out GET Queries was not passing validation pipe.
this patch will make sure GET requests will go through validation as well.

TODO:

  • Update CHANGELOG.md with your change (include reference to issue & this PR)
  • Make sure all of the significant new logic is covered by tests
  • Rebase your changes on master so that they can be merged easily
  • Make sure all tests and linter rules pass

@DxCx DxCx requested a review from helfer June 12, 2017 19:11
@DxCx DxCx force-pushed the get-validation branch from 95bddac to dd3d5ad Compare June 12, 2017 19:14
@@ -94,6 +94,7 @@ function doRunQuery(options: QueryOptions): Promise<ExecutionResult> {
logFunction({action: LogAction.request, step: LogStep.status, key: 'operationName', data: options.operationName});

// if query is already an AST, don't parse or validate
// XXX: This refers the operations-store flow.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by this comment exactly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wanted to disable getting to runQuery with document parsed to eliminate this flow at all.
but i've seen the module-operation-store depends on that "feature".

@helfer
Copy link
Contributor

helfer commented Jun 13, 2017

Thanks a lot for the fix @DxCx! I'll release this now, later we can think about whether or not to turn validation back on for persisted queries.

@helfer helfer merged commit 6d8047f into apollographql:master Jun 13, 2017
@DxCx DxCx deleted the get-validation branch June 13, 2017 06:03
@tgriesser tgriesser mentioned this pull request May 21, 2018
4 tasks
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants