feat: Duplicate operation name detected

multipliedtwice · Sep 18, 2024 · 2511ee2 · 2511ee2
1 parent 0e768ca
commit 2511ee2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/dist/get-allowed-query.js b/dist/get-allowed-query.js
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getAllowedQueryForRequest = void 0;
 const graphql_1 = require("graphql");
 function getAllowedQueryForRequest(requestQuery, allowedQueriesMap) {
-    if (!requestQuery)
+    if (!requestQuery || !requestQuery.trim())
         return '';
     const parsedRequestQuery = (0, graphql_1.parse)(requestQuery);
     const operationDefinition = parsedRequestQuery.definitions.find((def) => def.kind === 'OperationDefinition');

diff --git a/dist/index.js b/dist/index.js
@@ -47,7 +47,14 @@ class GraphQLQueryPurifier {
                 if (allowedQuery) {
                     // Use mergeQueries with the specific allowed query
                     const filteredQuery = (0, merge_1.mergeQueries)(req.body.query, allowedQuery, this.debug);
-                    // Existing code...
+                    if (!filteredQuery.trim()) {
+                        console.warn(`Query was blocked due to security rules: ${req.body.query}`);
+                        req.body.query = '{ __typename }';
+                        delete req.body.operationName;
+                    }
+                    else {
+                        req.body.query = filteredQuery;
+                    }
                 }
                 else {
                     console.warn(`Query was blocked: ${req.body.query}`);
@@ -78,6 +85,10 @@ class GraphQLQueryPurifier {
      */
     loadQueries() {
         const files = glob_1.default.sync(`${this.gqlPath}/**/*.gql`.replace(/\\/g, '/'));
+        if (!files || files.length === 0) {
+            console.warn(`No GraphQL files found in path: ${this.gqlPath}`);
+            return;
+        }
         this.queryMap = {};
         files.forEach((file) => {
             const content = fs_1.default.readFileSync(file, 'utf8').trim();
@@ -92,7 +103,12 @@ class GraphQLQueryPurifier {
                 const firstField = operationDefinition.selectionSet.selections.find((sel) => sel.kind === 'Field');
                 const firstFieldName = firstField ? firstField.name.value : '';
                 const key = `${operationName}.${firstFieldName}`.trim();
-                this.queryMap[key] = content;
+                if (this.queryMap[key]) {
+                    throw new Error(`Duplicate operation name detected: ${key}. File: ${file}`);
+                }
+                else {
+                    this.queryMap[key] = content;
+                }
             }
         });
     }