fix(router): check persistent query hashes to be well-formed

The OperationKit.unmarshalOperation method checks if non-empty sha256
hash in GraphQLRequestExtensions.PersistedQuery.Sha256Hash is valid.
It rejects hex strings that could not be sha256 hash and raises
en error that it cannot parse the body.

Tests now deal only with valid hash values.

Author: ysmolski

router-tests/automatic_persisted_queries_test.go

@@ -35,7 +35,7 @@ func TestAutomaticPersistedQueries(t *testing.T) {
 				},
 			}, func(t *testing.T, xEnv *testenv.Environment) {
 				res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
-					Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "does-not-exist"}}`),
+					Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 				})
 				require.Equal(t, `{"errors":[{"message":"PersistedQueryNotFound","extensions":{"code":"PERSISTED_QUERY_NOT_FOUND"}}]}`, res.Body)
 			})
@@ -198,7 +198,7 @@ func TestAutomaticPersistedQueries(t *testing.T) {
 				},
 			}, func(t *testing.T, xEnv *testenv.Environment) {
 				res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
-					Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "does-not-exist"}}`),
+					Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 				})
 				require.Equal(t, `{"errors":[{"message":"PersistedQueryNotFound","extensions":{"code":"PERSISTED_QUERY_NOT_FOUND"}}]}`, res.Body)
 			})

router-tests/header_propagation_test.go

@@ -48,7 +48,7 @@ func TestCacheControl(t *testing.T) {
 			res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
 				Query:      "", // Empty query
 				Variables:  json.RawMessage(`{}`),
-				Extensions: json.RawMessage(`{"persistedQuery": {"version": 1, "sha256Hash": "invalid-hash"}}`),
+				Extensions: json.RawMessage(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 			})
 
 			require.Contains(t, res.Body, "PERSISTED_QUERY_NOT_FOUND")

router-tests/persisted_operations_over_get_test.go

@@ -23,7 +23,7 @@ func TestPersistedOperationOverGET(t *testing.T) {
 			header := make(http.Header)
 			header.Add("graphql-client-name", "my-client")
 			res, err := xEnv.MakeGraphQLRequestOverGET(testenv.GraphQLRequest{
-				Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "does-not-exist"}}`),
+				Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 				Header:     header,
 			})
 			require.NoError(t, err)
@@ -99,7 +99,7 @@ func TestAutomatedPersistedQueriesOverGET(t *testing.T) {
 			header := make(http.Header)
 			header.Add("graphql-client-name", "my-client")
 			res, err := xEnv.MakeGraphQLRequestOverGET(testenv.GraphQLRequest{
-				Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "does-not-exist"}}`),
+				Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 				Header:     header,
 			})
 			require.NoError(t, err)

router-tests/persisted_operations_test.go

@@ -16,18 +16,56 @@ import (
 	"github.com/wundergraph/cosmo/router/pkg/config"
 )
 
+// cacheHashNotStored is a constant representing a non-existent entry in Persisted Queries Cache
+// of the testenv. All the pre-stored persistent entries used in testing are located here:
+// ./testenv/testdata/cdn/organization/graph/operations/my-client
+const cacheHashNotStored = "0000000000000000000000000000000000000000000000000000000000000000"
+
 func TestPersistedOperationNotFound(t *testing.T) {
 	t.Parallel()
 
 	testenv.Run(t, &testenv.Config{}, func(t *testing.T, xEnv *testenv.Environment) {
 		res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
-			Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "does-not-exist"}}`),
+			Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + cacheHashNotStored + `"}}`),
 		})
 		require.Equal(t, res.Response.Header.Get("Content-Type"), "application/json; charset=utf-8")
 		require.Equal(t, `{"errors":[{"message":"PersistedQueryNotFound","extensions":{"code":"PERSISTED_QUERY_NOT_FOUND"}}]}`, res.Body)
 	})
 }
 
+func TestPersistedOperationInvalidHash(t *testing.T) {
+	t.Parallel()
+
+	malformed := []string{
+		"malformed",
+		"some-words-free-style-not-allowed",
+		"../../../path/not/ok",
+		// too short
+		"000000000000000000000000000000000000000000000000000000000000000",
+		"00000000000000000000000000000000000000000000000000000000000000",
+		"0000",
+		"0",
+		// too long
+		"0000000000000000000000000000000000000000000000000000000000000000000000000000000",
+		"0000000000000000000000000000000000000000000000000000000000000001z",
+		// 1 bad character spoils everything
+		"0000000000000z00000000000000000000000000000000000000000000000000",
+		"0000000000000000000000000000000000000z00000000000000000000000000",
+		"000000000000000000000000000000000000000000000000000000000000000z",
+	}
+	for _, hash := range malformed {
+		testenv.Run(t, &testenv.Config{}, func(t *testing.T, xEnv *testenv.Environment) {
+			res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
+				Extensions: []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + hash + `"}}`),
+			})
+			require.NoError(t, err)
+			require.Equal(t, http.StatusBadRequest, res.Response.StatusCode)
+			require.Equal(t, res.Response.Header.Get("Content-Type"), "application/json; charset=utf-8")
+			require.Equal(t, `{"errors":[{"message":"error parsing request body"}]}`, res.Body)
+		})
+	}
+}
+
 func TestPersistedOperation(t *testing.T) {
 	t.Parallel()
 
@@ -440,11 +478,12 @@ func TestPersistedOperationsWithNestedVariablesExtraction(t *testing.T) {
 	t.Parallel()
 
 	testenv.Run(t, &testenv.Config{}, func(t *testing.T, xEnv *testenv.Environment) {
+		nestedVariableExtraction := "5000000000000000000000000000000000000000000000000000000000000000"
 		header := make(http.Header)
 		header.Add("graphql-client-name", "my-client")
 		res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"NormalizationQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "nestedVariableExtraction"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + nestedVariableExtraction + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg":"a"}`),
 		})
@@ -453,7 +492,7 @@ func TestPersistedOperationsWithNestedVariablesExtraction(t *testing.T) {
 		require.Equal(t, `{"data":{"rootFieldWithListOfInputArg":[{"arg":"a"}]}}`, res.Body)
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"NormalizationQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "nestedVariableExtraction"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + nestedVariableExtraction + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg":"a"}`),
 		})
@@ -462,7 +501,7 @@ func TestPersistedOperationsWithNestedVariablesExtraction(t *testing.T) {
 		require.Equal(t, `{"data":{"rootFieldWithListOfInputArg":[{"arg":"a"}]}}`, res.Body)
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"NormalizationQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "nestedVariableExtraction"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + nestedVariableExtraction + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg":"b"}`),
 		})
@@ -476,11 +515,12 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 	t.Parallel()
 
 	testenv.Run(t, &testenv.Config{}, func(t *testing.T, xEnv *testenv.Environment) {
+		skipVariableWithDefault := "4000000000000000000000000000000000000000000000000000000000000000"
 		header := make(http.Header)
 		header.Add("graphql-client-name", "my-client")
 		res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{}`),
 		})
@@ -489,7 +529,7 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 		require.Equal(t, `{"data":{"employee":{"details":{"forename":"Jens","surname":"Neuse"}}}}`, res.Body)
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{}`),
 		})
@@ -498,7 +538,7 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 		require.Equal(t, `{"data":{"employee":{"details":{"forename":"Jens","surname":"Neuse"}}}}`, res.Body)
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"yes":false}`),
 		})
@@ -507,7 +547,7 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 		require.Equal(t, "MISS", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"yes":false}`),
 		})
@@ -516,7 +556,7 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"yes":true}`),
 		})
@@ -525,7 +565,7 @@ func TestPersistedOperationCacheWithVariablesAndDefaultValues(t *testing.T) {
 		require.Equal(t, "MISS", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "skipVariableWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + skipVariableWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"yes":true}`),
 		})
@@ -539,11 +579,12 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 	t.Parallel()
 
 	testenv.Run(t, &testenv.Config{}, func(t *testing.T, xEnv *testenv.Environment) {
+		listArgQuery := "1000000000000000000000000000000000000000000000000000000000000000"
 		header := make(http.Header)
 		header.Add("graphql-client-name", "my-client")
 		res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQuery"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQuery + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg": "a"}`),
 		})
@@ -552,7 +593,7 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "MISS", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQuery"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQuery + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg": "a"}`),
 		})
@@ -561,17 +602,18 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQuery"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQuery + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg": "b"}`),
 		})
 		require.NoError(t, err)
 		require.Equal(t, `{"data":{"rootFieldWithListArg":["b"]}}`, res.Body)
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 
+		listArgQueryWithDefault := "2000000000000000000000000000000000000000000000000000000000000000"
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQueryWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQueryWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{}`),
 		})
@@ -580,7 +622,7 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "MISS", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQueryWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQueryWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{}`),
 		})
@@ -589,7 +631,7 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQueryWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQueryWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg": "b"}`),
 		})
@@ -598,18 +640,19 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQueryWithDefault"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQueryWithDefault + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg": ["c"]}`),
 		})
 		require.NoError(t, err)
 		require.Equal(t, `{"data":{"rootFieldWithListArg":["c"]}}`, res.Body)
 		require.Equal(t, "HIT", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 
+		nestedEnum := "3000000000000000000000000000000000000000000000000000000000000000"
 		// nested list of enums
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "nestedEnum"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + nestedEnum + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg":{"enums":"A"}}`),
 		})
@@ -618,7 +661,7 @@ func TestPersistedOperationCacheWithVariablesCoercion(t *testing.T) {
 		require.Equal(t, "MISS", res.Response.Header.Get(core.PersistedOperationCacheHeader))
 		res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 			OperationName: []byte(`"MyQuery"`),
-			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "nestedEnum"}}`),
+			Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + nestedEnum + `"}}`),
 			Header:        header,
 			Variables:     []byte(`{"arg":{"enums":"B"}}`),
 		})

router-tests/telemetry/telemetry_test.go

@@ -4039,11 +4039,12 @@ func TestFlakyTelemetry(t *testing.T) {
 			TraceExporter: exporter,
 			MetricReader:  metricReader,
 		}, func(t *testing.T, xEnv *testenv.Environment) {
+			listArgQuery := "1000000000000000000000000000000000000000000000000000000000000000"
 			header := make(http.Header)
 			header.Add("graphql-client-name", "my-client")
 			res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 				OperationName: []byte(`"MyQuery"`),
-				Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQuery"}}`),
+				Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQuery + `"}}`),
 				Header:        header,
 				Variables:     []byte(`{"arg": "a"}`),
 			})
@@ -4071,7 +4072,7 @@ func TestFlakyTelemetry(t *testing.T) {
 
 			res, err = xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
 				OperationName: []byte(`"MyQuery"`),
-				Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "listArgQuery"}}`),
+				Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "` + listArgQuery + `"}}`),
 				Header:        header,
 				Variables:     []byte(`{"arg": "a"}`),
 			})