Skip to content

Commit

Permalink
Merge pull request 99designs#325 from edsrzf/no-get-mutations
Browse files Browse the repository at this point in the history
Only allow query operations on GET requests
  • Loading branch information
vektah authored Aug 29, 2018
2 parents 59ea88e + ac6f82f commit ce8b67d
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
5 changes: 5 additions & 0 deletions handler/graphql.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,11 @@ func GraphQL(exec graphql.ExecutableSchema, options ...Option) http.HandlerFunc
return
}

if op.Operation != ast.Query && r.Method == http.MethodGet {
sendErrorf(w, http.StatusUnprocessableEntity, "GET requests only allow query operations")
return
}

vars, err := validator.VariableValues(exec.Schema(), op, reqParams.Variables)
if err != nil {
sendError(w, http.StatusUnprocessableEntity, err)
Expand Down
6 changes: 6 additions & 0 deletions handler/graphql_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,12 @@ func TestHandlerGET(t *testing.T) {
assert.Equal(t, http.StatusUnprocessableEntity, resp.Code)
assert.Equal(t, `{"data":null,"errors":[{"message":"Unexpected !","locations":[{"line":1,"column":1}]}]}`, resp.Body.String())
})

t.Run("no mutations", func(t *testing.T) {
resp := doRequest(h, "GET", "/graphql?query=mutation{me{name}}", "")
assert.Equal(t, http.StatusUnprocessableEntity, resp.Code)
assert.Equal(t, `{"data":null,"errors":[{"message":"GET requests only allow query operations"}]}`, resp.Body.String())
})
}

func TestHandlerOptions(t *testing.T) {
Expand Down

0 comments on commit ce8b67d

Please sign in to comment.