Literal Scalar Parsing should not panic

[dreamcodez]

Describe the bug
Literal Scalar Parsing should not panic. Sending badly shaped data is a thing that Denial-Of-Service attackers like to do -- and being able to panic the thread this easy is a smell in my opinion.

To Reproduce
Steps to reproduce the behavior:

1. Define a schema with a scalar String, Int, or Float type
2. Query the schema with query literals which violate the contract in step (1)
3. Notice that the thread panics
4. Code reference here: https://github.com/graphql-rust/juniper/blob/master/juniper/src/parser/value.rs ... look for parse_scalar_literal_by_infered_type and then look for the panics.

Expected behavior
The framework should handle this class of error gracefully without a panic. It should return in this case a proper 400 Bad Request HTTP Response with the standard graphql json error reporting array format: { "errors": [ "... must be an Int" ] }

Additional context
Violating the api shape is one of the easiest things a would-be denial-of-service attacker can try to attempt to crash your service and/or waste cpu cycles/compute resources/network resources.

[LegNeato]

We should probably add this case to ParseError and bubble it up.

[andy128k]

@dreamcodez I am trying to reproduce panic here but I cannot. Could you provide more details?

[dreamcodez]

sure. sorry i have been busy shlepping my stuff from place to place.

I am going to create a small repo and post it here. give me an hour or so

I haven't had time to understand junipers test suite, but i can isolate it for you...

[dreamcodez]

I added more context to 434, and I have also posted a bounty for this issue (427)

$50 out of my own pocket if someone can just get this one thing fixed, its the only thing which is causing me to not want to use juniper right now :)

https://www.bountysource.com/issues/80699749-literal-scalar-parsing-should-not-panic

Thanks !

[dreamcodez]

(and unit tests of course)

[theduke]

@andy128k @dreamcodez I tried to reproduce this, but haven't been able to.

All seems to work as expected, without a panic.

Can you please provide a simple reproduction with a sample schema definition and query?

[andy128k]

@dreamcodez @theduke Looks like I've reproduced it. String was a bad example (any schema has it because it is used in introspection).

But passing Int or Float literal causes panic. So, this is not because of violation of contract but because of absence of scalar type in schema.