Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting results with invalid input attribute in GraphQL #9142

Closed
bencresty opened this issue Jul 8, 2021 · 4 comments
Closed

Getting results with invalid input attribute in GraphQL #9142

bencresty opened this issue Jul 8, 2021 · 4 comments
Labels
bug

Comments

@bencresty
Copy link

bencresty commented Jul 8, 2021
edited
Loading

Description

When entering an invalid string for an entry ID somehow Craft still returns a list of entries. It seems like it is interpreting the attribute value, but strips the parts that it doesn't recognise/is invalid.
I would expect Craft to not return any results though (see image)

image

The comparisson < 170 actually seems to work, but IMO it shouldn't validate as it's oviously a wrong attribute value.

Also this is validating, which obviously is completely wrong and should never return any entry
(Craft seems to see <170 and skips the rest, which is confusing at least, but obviously prone to nasty errors and mistakes)

image

Steps to reproduce

  1. Have some entries
  2. Try query as given in the image (replace id to one that is actually available)

Additional info

  • Craft version: 3.6.17
  • PHP version: 7.4.9
@bencresty bencresty added the bug label Jul 8, 2021
brandonkelly added a commit that referenced this issue Jul 9, 2021
@brandonkelly
Db::parseNumericParam()
03825af 
Resolves #9142
@brandonkelly
Copy link
Member

Agree this is awkward. It affects normal element queries as well.

I’ve made numeric query params more strict for Craft 4. Don’t feel comfortable fixing this for 3.x since it could break existing installs that may be passing invalid values to numeric params.

@bencresty
Copy link
Author

@brandonkelly Thanks for the quick action! Seems like graphQL isn't too mature yet in v3 (also found out that mutations aren't quite there yet in terms of security etc. and don't like to mix different communication systems), so I go back to using REST for newer projects until v4 is out and stable to use. Looking forward to v4!

@brandonkelly
Copy link
Member

@bencresty Again in this case it’s not actually a GraphQL-specific issue; it was a bug with element queries, which GraphQL executes under the hood.

We aren’t aware of any security issues with GraphQL mutations. If you have any specific security concerns please send them in via our contact form, per our security policy.

@bencresty
Copy link
Author

I understand it's not an issue of GraphQL itself, but the implementation on the backend, which in this case is the elements api. But this mainly leads to issues when using it via GraphQL as it's obviously reachable from outside of the backend.

I already sent you guys an email about the GraphQL mutations with questions and got a response saying that mutations aren't quite there yet and will change for the better in v4. With security concerns in this case I mean that we can't limit mutations or requests to certain users making it a security concern, as everybody having access to the frontend of a headless system is able to fire mutations and therefor mess up with our data without even logging in.
I refer you to the email I sent you guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandonkelly @bencresty