feat(aliases.spec.ts): add tests for handling aliases in GraphQL queries to ensure

danil-iglu · danil-iglu · commit 887a9a9ceb34 · 2024-02-28T16:02:30.000+07:00
proper query merging and filtering based on allowed queries

fix(index.ts): add logging to output queryMap for debugging purposes
diff --git a/src/__tests__/aliases.spec.ts b/src/__tests__/aliases.spec.ts
@@ -0,0 +1,146 @@
+import { getAllowedQueryForRequest } from '../get-allowed-query';
+import { mergeQueries } from '../merge';
+
+const allowedQueries = {
+  'FindMyTalentJobApplications.findJobApplications': `query FindMyTalentJobApplications {
+          data: findJobApplications {
+            id
+            createdAt
+            deletedAt
+            jobAd {
+              id
+              location
+              title
+              publisherCompany {
+                name
+              }
+              workMode
+            }
+          }
+        }`,
+  'FindMyCompanyTalentJobApplications.findJobApplications': `query FindMyCompanyTalentJobApplications($where: TalentJobApplicationWhereInput, $orderBy: [TalentJobApplicationOrderByWithRelationInput!]) {
+          data: findJobApplications(where: $where, orderBy: $orderBy) {
+            createdAt
+            id
+            jobAd {
+              title
+            }
+            talentProfile {
+              profileName
+            }
+          }
+        }`,
+};
+
+describe('aliases', () => {
+  test('FindMyTalentJobApplications should handle aliases (request talentProfile when it is not allowed)', () => {
+    const requestQuery = `query FindMyTalentJobApplications {
+          data: findJobApplications {
+            id
+            createdAt
+            deletedAt
+            jobAd {
+              id
+              location
+              title
+              publisherCompany {
+                name
+              }
+              workMode
+            }
+            talentProfile {
+              profileName
+            }
+          }
+        }`;
+
+    const expected = `query FindMyTalentJobApplications {
+  data: findJobApplications {
+    id
+    createdAt
+    deletedAt
+    jobAd {
+      id
+      location
+      title
+      publisherCompany {
+        name
+      }
+      workMode
+    }
+  }
+}`;
+    const allowedQuery = getAllowedQueryForRequest(
+      requestQuery,
+      allowedQueries
+    );
+    expect(mergeQueries(requestQuery, allowedQuery)).toBe(expected);
+  });
+
+  test('FindMyCompanyTalentJobApplications should handle aliases2  (request workMode when it is not allowed)', () => {
+    const requestQuery = `query FindMyCompanyTalentJobApplications($where: TalentJobApplicationWhereInput, $orderBy: [TalentJobApplicationOrderByWithRelationInput!]) {
+          data: findJobApplications(where: $where, orderBy: $orderBy) {
+            createdAt
+            id
+            jobAd {
+              title
+              __typename
+            }
+            talentProfile {
+              profileName
+              __typename
+            }
+            workMode
+            __typename
+          }
+        }`;
+    const expected = `query FindMyCompanyTalentJobApplications($where: TalentJobApplicationWhereInput, $orderBy: [TalentJobApplicationOrderByWithRelationInput!]) {
+  data: findJobApplications(where: $where, orderBy: $orderBy) {
+    createdAt
+    id
+    jobAd {
+      title
+    }
+    talentProfile {
+      profileName
+    }
+  }
+}`;
+    const allowedQuery = getAllowedQueryForRequest(
+      requestQuery,
+      allowedQueries
+    );
+    console.log('allowedQuery', allowedQuery);
+    expect(mergeQueries(requestQuery, allowedQuery)).toBe(expected);
+  });
+
+  test('Exploit with Aliased Fields to bypass restrictions', () => {
+    const requestQuery = `query FindMyTalentJobApplications {
+      data: findJobApplications {
+        id
+        jobAd {
+          id
+          location
+          secretTitle: title
+          workMode
+        }
+      }
+    }`;
+    const expected = `query FindMyTalentJobApplications {
+  data: findJobApplications {
+    id
+    jobAd {
+      id
+      location
+      secretTitle: title
+      workMode
+    }
+  }
+}`; // 'secretTitle' alias for 'title' is allowed since 'title' is allowed
+    const allowedQuery = getAllowedQueryForRequest(
+      requestQuery,
+      allowedQueries
+    );
+    expect(mergeQueries(requestQuery, allowedQuery)).toBe(expected);
+  });
+});
diff --git a/src/index.ts b/src/index.ts
@@ -107,6 +107,7 @@ export class GraphQLQueryPurifier {
         const key = `${operationName}.${firstFieldName}`.trim();
         this.queryMap[key] = content;
       }
+      console.log('this.queryMap', this.queryMap);
     });
   }
 

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ export class GraphQLQueryPurifier {`
`107`	`107`	const key = `${operationName}.${firstFieldName}`.trim();
`108`	`108`	`this.queryMap[key] = content;`
`109`	`109`	`}`
	`110`	`+ console.log('this.queryMap', this.queryMap);`
`110`	`111`	`});`
`111`	`112`	`}`
`112`	`113`