Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4f35752
commit 78ce9cf
Showing
4 changed files
with
151 additions
and
0 deletions.
There are no files selected for viewing
100 changes: 100 additions & 0 deletions
100
src/validation/__tests__/NoIntrospectionFieldsRule-test.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
// @flow strict | ||
|
||
import { describe, it } from 'mocha'; | ||
|
||
import { NoIntrospectionFieldsRule } from '../rules/NoIntrospectionFieldsRule'; | ||
|
||
import { expectValidationErrors } from './harness'; | ||
|
||
function expectErrors(queryStr) { | ||
return expectValidationErrors(NoIntrospectionFieldsRule, queryStr); | ||
} | ||
|
||
function expectValid(queryStr) { | ||
expectErrors(queryStr).to.deep.equal([]); | ||
} | ||
|
||
describe('Validate: No introspection fields', () => { | ||
it('ignores valid fields including __typename', () => { | ||
expectValid(` | ||
{ | ||
dog { | ||
__typename | ||
name | ||
} | ||
} | ||
`); | ||
}); | ||
|
||
it('ignores valid fields to be aliased as __schema or __type', () => { | ||
expectValid(` | ||
{ | ||
__schema: dog | ||
__type: cat | ||
} | ||
`); | ||
}); | ||
|
||
it('ignores __schema or __type fields not on the root query type', () => { | ||
expectValid(` | ||
{ | ||
someField { | ||
__schema | ||
__type | ||
} | ||
} | ||
`); | ||
}); | ||
|
||
it('reports error when __schema field is requested', () => { | ||
expectErrors(` | ||
{ | ||
__schema { | ||
queryType { | ||
name | ||
} | ||
} | ||
} | ||
`).to.deep.equal([ | ||
{ | ||
message: | ||
'GraphQL introspection has been disabled, but the requested query contained the field "__schema".', | ||
locations: [{ line: 3, column: 9 }], | ||
}, | ||
]); | ||
}); | ||
|
||
it('reports error when __type field is requested', () => { | ||
expectErrors(` | ||
{ | ||
__type(name: "Query") { | ||
name | ||
} | ||
} | ||
`).to.deep.equal([ | ||
{ | ||
message: | ||
'GraphQL introspection has been disabled, but the requested query contained the field "__type".', | ||
locations: [{ line: 3, column: 9 }], | ||
}, | ||
]); | ||
}); | ||
|
||
it('reports error when an introspection field is requested and aliased', () => { | ||
expectErrors(` | ||
{ | ||
s: __schema { | ||
queryType { | ||
name | ||
} | ||
} | ||
} | ||
`).to.deep.equal([ | ||
{ | ||
message: | ||
'GraphQL introspection has been disabled, but the requested query contained the field "__schema".', | ||
locations: [{ line: 3, column: 9 }], | ||
}, | ||
]); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
import { ASTVisitor } from '../../language/visitor'; | ||
import { ValidationContext } from '../ValidationContext'; | ||
|
||
/** | ||
* No introspection fields | ||
* | ||
* A GraphQL document is only valid if all fields selected are not | ||
* fields that return an introspection type. Note: This rule is not | ||
* part of the Validation section of the GraphQL Specification. | ||
*/ | ||
export function NoIntrospectionFieldsRule( | ||
context: ValidationContext, | ||
): ASTVisitor; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
// @flow strict | ||
|
||
import { GraphQLError } from '../../error/GraphQLError'; | ||
|
||
import { type FieldNode } from '../../language/ast'; | ||
import { type ASTVisitor } from '../../language/visitor'; | ||
|
||
import { type ValidationContext } from '../ValidationContext'; | ||
|
||
/** | ||
* No introspection fields | ||
* | ||
* A GraphQL document is only valid if all fields selected are not | ||
* fields that return an introspection type. Note: This rule is not | ||
* part of the Validation section of the GraphQL Specification. | ||
*/ | ||
export function NoIntrospectionFieldsRule( | ||
context: ValidationContext, | ||
): ASTVisitor { | ||
return { | ||
Field(node: FieldNode) { | ||
if ( | ||
context.getSchema().getQueryType() === context.getParentType() && | ||
(node.name.value === '__schema' || node.name.value === '__type') | ||
) { | ||
context.reportError( | ||
new GraphQLError( | ||
`GraphQL introspection has been disabled, but the requested query contained the field "${node.name.value}".`, | ||
node, | ||
), | ||
); | ||
} | ||
}, | ||
}; | ||
} |