Full resolver source is leaked in error message when no subscription topics are provided

[bfmiv]

Describe the bug
Full resolver source is leaked in error message when no subscription topics are provided. This appears to be caused by this line and should be easy to fix with either a toString method or changing the target reference to target.name.

type-graphql/src/errors/MissingSubscriptionTopicsError.ts

Line 3 in 445ae0a

super(`${target}#${methodName} subscription has no provided topics!`);

To Reproduce
Given the resolver:

@Resolver(() => Test)
export default class TestResolver {
    @Subscription(() => Something, {
        topics: () => []
    })
    public watchSomething(@Root() payload: Something): Something {
        return payload;
    }
}

Attempting to subscribe to watchSomething with:

subscription Test {
    watchSomething {
        id
    }
}

Returns the following:

{
    "errors": [
        {
            "message": "class TestResolver {\n    watchSomething(payload) {\n        return payload;\n    }\n}#watchSomething subscription has no provided topics!",
            "locations": [
                {
                    "line": 2,
                    "column": 3
                }
            ],
            "path": [
                "watchSomething"
            ],
            "extensions": {
                "code": "INTERNAL_SERVER_ERROR"
            }
        }
    ]
}

Expected behavior
Only the name of the resolver should be logged

Logs
N/A

Enviorment (please complete the following information):

• OS: Mac OS
• Node 12.13.0
• [email protected]
• [email protected]

Additional context
Add any other context about the problem here.

[bfmiv]

@MichalLytek I didn't realize until after I submitted topics can be passed in user args - please take a look at this ASAP

[bfmiv]

@MichalLytek 911 🚨

Sorry to nag but this is a big deal and needs to be patched immediately

[MichalLytek]

this is a big deal

The big deal is that you don't filter the errors returned to the client. This way you can also return failed SQL query or a full stacktrace from internal server error.

The ${target} is obviously a bug but the error but the MissingSubscriptionTopicsError is only a developer error to notify him when forgot to pass the topics, for convinience, just like InterfaceResolveTypeError or UnionResolveTypeError. It's not intended to be an info for the client and should be stripped away from the output.

I submitted topics can be passed in user args

Always validate and sanitize your inputs, don't trust users. So you should check the arg and accept only a set of values for topics, as well as check the length, don't just pass the input as topic to subscription.

And I think that reporting it to npm won't help and won't speed up things. If you need a quick fix, checkout v0.17.5 tag, apply the fix and publish a fork on npm. It's OSS, not a paid software with a warranty.

[bfmiv]

Right, I get that. The reason I say it's a big deal has more to do with the fact that I opened a public github issue for what ended up being a potentially devastating exploit (sorry!). But if you're not worried about it 🤷‍♂

Great project btw, thanks for all of your work on this! I will update my PR to address your comments.

[MichalLytek]

Fixed via 26ee0ce, released as v0.17.6 🔒