Open vansh1 opened 1 year ago
nikitastupin
commented
1 year ago Hi @vansh1!
Thanks for reporting this. Unfortunately, now I don't have capacity for digging deeper and fixing. I probably would be able to find time and review and merge a PR though.
I'm also looking for other ways to maintain the project with my current capacity (e.g. receive funding with Gitcoin Grants and fund issues with Gitcoin Bounties).
gelosecurity
commented
1 year ago Running into the same error. @vansh1, did you ever find a fix?
python3 -m clairvoyance -o output.json https://graphql.kiwi.com/
2023-02-05 21:30:11 INFO | Starting blind introspection on https://graphql.kiwi.com/...
Traceback (most recent call last):
File "/usr/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/__main__.py", line 4, in <module>
cli()
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/cli.py", line 111, in cli
asyncio.run(
File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.10/asyncio/base_events.py", line 646, in run_until_complete
return future.result()
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/cli.py", line 69, in blind_introspection
schema = await oracle.clairvoyance(
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/oracle.py", line 476, in clairvoyance
root_typenames = await fetch_root_typenames()
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/oracle.py", line 420, in fetch_root_typenames
response = await client().post(document=document)
File "/root/kiwi_bug_bounty/graphQL/clairvoyance/clairvoyance/client.py", line 55, in post
return await response.json(content_type=None)
File "/usr/local/lib/python3.10/dist-packages/aiohttp/client_reqrep.py", line 1120, in json
return loads(stripped.decode(encoding))
File "/usr/lib/python3.10/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/lib/python3.10/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python3.10/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
2023-02-05 21:30:11 ERROR | Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7f32f2bb9360>
mahabish
commented
1 year ago Bump. Same error here as well. Any known workarounds?
2023-02-15 00:22:42 DEBUG | Root typenames are: {'queryType': 'Query', 'mutationType': 'Mutation', 'subscriptionType': None}
Traceback (most recent call last):
File "/usr/lib/python3.10/runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
exec(code, run_globals)
File "/home/kali/.local/lib/python3.10/site-packages/clairvoyance/__main__.py", line 4, in <module>
cli()
File "/home/kali/.local/lib/python3.10/site-packages/clairvoyance/cli.py", line 111, in cli
asyncio.run(
File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.10/asyncio/base_events.py", line 649, in run_until_complete
return future.result()
File "/home/kali/.local/lib/python3.10/site-packages/clairvoyance/cli.py", line 69, in blind_introspection
schema = await oracle.clairvoyance(
File "/home/kali/.local/lib/python3.10/site-packages/clairvoyance/oracle.py", line 485, in clairvoyance
typename = await probe_typename(input_document)
File "/home/kali/.local/lib/python3.10/site-packages/clairvoyance/oracle.py", line 402, in probe_typename
raise Exception(f'Expected "{errors}" to match any of "{wrong_field_regexes}".')
Exception: Expected "[{'message': 'Bad Request'}]" to match any of "['Cannot query field [\'"]imwrongfield[\'"] on type [\'"](?P<typename>[_0-9a-zA-Z\\[\\]!]*)[\'"].', 'Field [\'"][_0-9a-zA-Z\\[\\]!]*[\'"] must not have a selection since type [\'"](?P<typename>[_A-Za-z\\[\\]!][_0-9a-zA-Z\\[\\]!]*)[\'"] has no subfields.', 'Field [\'"][_0-9a-zA-Z\\[\\]!]*[\'"] of type [\'"](?P<typename>[_A-Za-z\\[\\]!][_0-9a-zA-Z\\[\\]!]*)[\'"] must not have a sub selection.']".
2023-02-15 00:22:42 ERROR | Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7f4c17c5f430>
2023-02-15 00:22:42 ERROR | Unclosed connector
connections: ['[(<aiohttp.client_proto.ResponseHandler object at 0x7f4c17c78a00>, 3503745.138899862)]']
connector: <aiohttp.connector.TCPConnector object at 0x7f4c17c5f5e0>
QuentinN42
commented
1 year ago Hey, I think we have fixed it today.
Can you check and let me know if you encounter others problems ? https://github.com/Escape-Technologies/ClairvoyanceNext
pip install clairvoyancenextNo joy. Same error for me with no change.
Before you might ask, I uninstalled clairvoyance before pip installing clairvoyancenext. When that didn't work, I uninstalled that package and tried complication via 'poetry' and running in a virtual env, as per the installation instructions. This, unfortunately, resulted in the same outcome.
iCarossio
commented
1 year ago Hey @mahabish, I cannot reproduce using your command clairvoyance -vv -o schema.json -w google-10000-english.txt <https://site.com/graphql>. I think the endpoint you are really trying to fingerprint (instead of <https://site.com/graphql>) has something specific. Can you please share with us the URL of the endpoint? You can share it with us privately on Discord if you want: https://discord.escape.tech/
EDIT: By looking at the details of the Stacktrace I think that Field Suggestion is disabled on the GraphQL API you are trying to finger print, and thus Clairvoyance cannot work on it!
mahabish
commented
1 year ago Due to the nature of the work, I can't share the URL of the endpoint. However, after digging a bit further I have the request payload and response that always triggers the error. It appears that Oracle.py throws the error upon receiving a response to the {"query": "query { IAmWrongField }"} request. Looking in Oracle.py lines 88 - 92, there are only three options for a response. The response I actually get is a 400 status with the payload {"errors":[{"message":"Bad Request"}]}. Immediately after this response is received, the script fails with the following:
File "C:\Users\<redacted>\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\clairvoyance\oracle.py", line 476, in probe_typename
raise Exception(f'Unkwon error in `probe_typename`: "{errors}" does not match any known regexes.')
Exception: Unkwon error in `probe_typename`: "[{'message': 'Bad Request'}]" does not match any known regexes.
2023-02-20 14:47:18 ERROR | Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x000002E5ED4249D0Does this help?
iCarossio
commented
1 year ago It doesn’t really help, it was already my conclusion: « By looking at the details of the Stacktrace I think that Field Suggestion is disabled on the GraphQL API you are trying to finger print, and thus Clairvoyance cannot work on it! »
but I cannot be 100% sure without the endpoint URL
mahabish
commented
1 year ago Understood. Thank you for the swift response.
2022-10-14 20:34:28 INFO | Starting blind introspection on https://site.com/graphql/... 2022-10-14 20:34:29 DEBUG | Root typenames are: {'queryType': None, 'mutationType': None, 'subscriptionType': None} Traceback (most recent call last): File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.8/runpy.py", line 87, in _run_code exec(code, run_globals) File "/home/boss/tools/clairvoyance/clairvoyance/main.py", line 4, in
cli()
File "/home/boss/tools/clairvoyance/clairvoyance/cli.py", line 109, in cli
asyncio.run(
File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/home/boss/tools/clairvoyance/clairvoyance/cli.py", line 67, in blind_introspection
schema = await oracle.clairvoyance(
File "/home/boss/tools/clairvoyance/clairvoyance/oracle.py", line 485, in clairvoyance
typename = await probe_typename(input_document)
File "/home/boss/tools/clairvoyance/clairvoyance/oracle.py", line 402, in probe_typename
raise Exception(f'Expected "{errors}" to match any of "{wrong_field_regexes}".')
Exception: Expected "[{'message': "Validation error of type FieldUndefined: Field 'imwrongfield' in type 'Query' is undefined @ 'imwrongfield'", 'locations': [{'line': 1, 'column': 9}], 'extensions': {'classification': 'ValidationError'}}]" to match any of "['Cannot query field [\'"]imwrongfield[\'"] on type \'"[\'"].', 'Field [\'"][_0-9a-zA-Z\[\]!][\'"] must not have a selection since type [\'"](?P[_A-Za-z\[\]!][_0-9a-zA-Z\[\]!] )[\'"] has no subfields.', 'Field [\'"][_0-9a-zA-Z\[\]!][\'"] of type [\'"](?P[_A-Za-z\[\]!][_0-9a-zA-Z\[\]!] )[\'"] must not have a sub selection.']".
2022-10-14 20:34:29 ERROR | Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7f744a55f8e0>
2022-10-14 20:34:29 ERROR | Unclosed connector
connections: ['[(<aiohttp.client_proto.ResponseHandler object at 0x7f744a462e80>, 94397.773572156)]']
connector: <aiohttp.connector.TCPConnector object at 0x7f744a55f670>
command i used python3 -m clairvoyance -vv -o schema.json -w google-10000-english.txt https://site.com/graphql/