search

graphql-go / graphql

An implementation of GraphQL for Go / Golang
MIT License
9.86k stars 838 forks source link

Lexer - Possibility to pass invalid characters eg: (null byte) #595

Open mimol91 opened 3 years ago

mimol91 commented 3 years ago

Even tho lexer check if input data do not contains some invalid characters https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L235 It is possible to use them - Just by sending them as "plain text" For example: inputString "ABC\u0041" instead of being interpreted as "ABC\u0041" is changed to "ABCA"

Example code:

func TestReadString(t *testing.T) {
    input := `mutation{
  requestRefund(input:{
  clientMutationId:"2"
    nr:"6849905030\u0041"
  }){
    clientMutationId
  }
}`

    inputSource := source.Source{Body: []byte(input)}
    token, _ := readToken(source.NewSource(&inputSource), 64)

    if token.Value != `6849905030\u0041` {
        t.Fatal("token incorrect")
    }
}

https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L281 Probably it require this same check as here https://github.com/graphql-go/graphql/blob/v0.7.9/language/lexer/lexer.go#L235