github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Use json parser wrapper function to prevent pollution attacks (#13191)

Browse Source
This commit is contained in:
Rijk van Zanten
2022-05-09 14:57:38 -04:00
committed by GitHub
parent ae2024147f
commit a36c7eabeb
20 changed files with 152 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
api/src/middleware/graphql.ts
View File

@@ -3,6 +3,7 @@ import { DocumentNode, getOperationAST, parse, Source } from 'graphql';
import { InvalidPayloadException, InvalidQueryException, MethodNotAllowedException } from '../exceptions';
import { GraphQLParams } from '../types';
import asyncHandler from '../utils/async-handler';
import { parseJSON } from '../utils/parse-json';
export const parseGraphQL: RequestHandler = asyncHandler(async (req, res, next) => {
if (req.method !== 'GET' && req.method !== 'POST') {
@@ -19,7 +20,7 @@ export const parseGraphQL: RequestHandler = asyncHandler(async (req, res, next)
if (req.query.variables) {
try {
variables = JSON.parse(req.query.variables as string);
variables = parseJSON(req.query.variables as string);
} catch {
throw new InvalidQueryException(`Variables are invalid JSON.`);
}