Skip to content

Commit

Permalink
feat(max-aliases): add an allow list of unlimited aliases name (#540)
Browse files Browse the repository at this point in the history 
* feat(max-aliases): add an allow list of unlimited aliases name

* feat: changeset

---------

Co-authored-by: c3b5aw <[email protected]>
  • Loading branch information
@EmrysMyrddin
EmrysMyrddin and c3b5aw authored Oct 26, 2023
1 parent e13c4db commit a21f0f4
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 2 deletions.
5 changes: 5 additions & 0 deletions .changeset/cyan-crews-do.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@escape.tech/graphql-armor-max-aliases': minor
---

add allowList
5 changes: 3 additions & 2 deletions packages/plugins/max-aliases/src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,13 @@ import {
ValidationContext,
} from 'graphql';

type MaxAliasesOptions = { n?: number } & GraphQLArmorCallbackConfiguration;
type MaxAliasesOptions = { n?: number; allowList: string[] } & GraphQLArmorCallbackConfiguration;
const maxAliasesDefaultOptions: Required<MaxAliasesOptions> = {
n: 15,
onAccept: [],
onReject: [],
propagateOnRejection: true,
allowList: [],
};

class MaxAliasesVisitor {
Expand Down Expand Up @@ -63,7 +64,7 @@ class MaxAliasesVisitor {
node: FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode,
): number {
let aliases = 0;
if ('alias' in node && node.alias) {
if ('alias' in node && node.alias && !this.config.allowList.includes(node.alias.value)) {
++aliases;
}
if ('selectionSet' in node && node.selectionSet) {
Expand Down
16 changes: 16 additions & 0 deletions packages/plugins/max-aliases/test/index.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,4 +122,20 @@ describe('global', () => {
expect(result.errors).toBeDefined();
expect(result.errors?.map((error) => error.message)).toContain('Cannot spread fragment "A" within itself via "B".');
});

it('should not reject allowed aliases', async () => {
const maxAliases = 1;
const testkit = createTestkit([maxAliasesPlugin({ n: maxAliases, allowList: ['allowed'] })], schema);
const result = await testkit.execute(`query {
allowed: getBook(title: "null") {
allowed: author
}
}`);

assertSingleExecutionValue(result);
expect(result.errors).toBeUndefined();
expect(result.data).toEqual({
allowed: null,
});
});
});

0 comments on commit a21f0f4

Please sign in to comment.