Disallow introspection fields on subscription root (#5187)

ChilliCream · Jun 28, 2022 · 9affedb · 9affedb
1 parent 66b9dce
commit 9affedb
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 2 deletions.
diff --git a/src/HotChocolate/Core/src/Validation/ErrorHelper.cs b/src/HotChocolate/Core/src/Validation/ErrorHelper.cs
@@ -587,6 +587,17 @@ public static IError SubscriptionSingleRootField(
             .Build();
     }
 
+    public static IError SubscriptionNoTopLevelIntrospectionField(
+        this IDocumentValidatorContext context,
+        OperationDefinitionNode operation)
+    {
+        return ErrorBuilder.New()
+            .SetMessage(Resources.ErrorHelper_SubscriptionNoTopLevelIntrospectionField)
+            .AddLocation(operation)
+            .SpecifiedBy("sec-Single-root-field")
+            .Build();
+    }
+
     public static IError MaxOperationComplexity(
         this IDocumentValidatorContext context,
         OperationDefinitionNode operation,

diff --git a/src/HotChocolate/Core/src/Validation/Properties/Resources.Designer.cs b/src/HotChocolate/Core/src/Validation/Properties/Resources.Designer.cs
diff --git a/src/HotChocolate/Core/src/Validation/Properties/Resources.resx b/src/HotChocolate/Core/src/Validation/Properties/Resources.resx
@@ -203,6 +203,9 @@
   <data name="ErrorHelper_SubscriptionSingleRootField" xml:space="preserve">
     <value>Subscription operations must have exactly one root field.</value>
   </data>
+  <data name="ErrorHelper_SubscriptionNoTopLevelIntrospectionField" xml:space="preserve">
+    <value>Subscription must not select an introspection top level field.</value>
+  </data>
   <data name="ErrorHelper_MaxOperationComplexity" xml:space="preserve">
     <value>The GraphQL document has an operation complexity of {0} which exceeds the max allowed operation complexity of {1}.</value>
   </data>

diff --git a/src/HotChocolate/Core/src/Validation/Rules/OperationVisitor.cs b/src/HotChocolate/Core/src/Validation/Rules/OperationVisitor.cs
@@ -1,5 +1,7 @@
+using System.Linq;
 using HotChocolate.Language;
 using HotChocolate.Language.Visitors;
+using HotChocolate.Types.Introspection;
 
 namespace HotChocolate.Validation.Rules;
 
@@ -54,7 +56,8 @@ protected override ISyntaxVisitorAction Enter(
                 else if (!context.Names.Add(operation.Name.Value))
                 {
                     context.ReportError(context.OperationNameNotUnique(
-                        operation, operation.Name.Value));
+                        operation,
+                        operation.Name.Value));
                 }
             }
         }
@@ -89,6 +92,11 @@ protected override ISyntaxVisitorAction Leave(
         {
             context.ReportError(context.SubscriptionSingleRootField(node));
         }
+        else if (IntrospectionFields.TypeName.Equals(context.Names.Single()))
+        {
+            context.ReportError(context.SubscriptionNoTopLevelIntrospectionField(node));
+        }
+
         return Continue;
     }
 

diff --git a/src/HotChocolate/Core/test/Validation.Tests/SubscriptionSingleRootFieldRuleTests.cs b/src/HotChocolate/Core/test/Validation.Tests/SubscriptionSingleRootFieldRuleTests.cs
@@ -144,5 +144,17 @@ subscription sub {
                 $"Subscription operations must " +
                 "have exactly one root field.", t.Message));
         }
+
+        [Fact]
+        public void DisallowedOnlyIntrospectionField()
+        {
+            ExpectErrors(@"
+                subscription sub {
+                    __typename
+                }
+            ",
+            t => Assert.Equal(
+                "Subscription must not select an introspection top level field.", t.Message));
+        }
     }
 }
diff --git a/.../__snapshots__/SubscriptionSingleRootFieldRuleTests.DisallowedOnlyIntrospectionField.snap b/.../__snapshots__/SubscriptionSingleRootFieldRuleTests.DisallowedOnlyIntrospectionField.snap
@@ -0,0 +1,74 @@
+[
+  {
+    "Message": "Subscription must not select an introspection top level field.",
+    "Code": null,
+    "Path": null,
+    "Locations": [
+      {
+        "Line": 2,
+        "Column": 17
+      }
+    ],
+    "Extensions": {
+      "specifiedBy": "http://spec.graphql.org/October2021/#sec-Single-root-field"
+    },
+    "Exception": null,
+    "SyntaxNode": {
+      "Kind": "OperationDefinition",
+      "Location": {
+        "Start": 17,
+        "End": 97,
+        "Line": 2,
+        "Column": 17
+      },
+      "Name": {
+        "Kind": "Name",
+        "Location": {
+          "Start": 30,
+          "End": 35,
+          "Line": 2,
+          "Column": 30
+        },
+        "Value": "sub"
+      },
+      "Operation": "Subscription",
+      "VariableDefinitions": [],
+      "Directives": [],
+      "SelectionSet": {
+        "Kind": "SelectionSet",
+        "Location": {
+          "Start": 34,
+          "End": 97,
+          "Line": 2,
+          "Column": 34
+        },
+        "Selections": [
+          {
+            "Kind": "Field",
+            "Alias": null,
+            "Arguments": [],
+            "Required": null,
+            "SelectionSet": null,
+            "Location": {
+              "Start": 56,
+              "End": 84,
+              "Line": 3,
+              "Column": 21
+            },
+            "Name": {
+              "Kind": "Name",
+              "Location": {
+                "Start": 56,
+                "End": 84,
+                "Line": 3,
+                "Column": 21
+              },
+              "Value": "__typename"
+            },
+            "Directives": []
+          }
+        ]
+      }
+    }
+  }
+]