diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-29 15:58:28 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-29 15:58:28 +0000 |
commit | 8d0b026ac70cbb52afbf0d61b88925c5d1d33d94 (patch) | |
tree | 760a015e6ada293e16dd9e5eedef0e7a2817bef0 /spec/support/helpers | |
parent | 5f35cbdd109db2505c0597994dbc8c139014b40b (diff) | |
parent | 5be0a9fe4d7be65b4d3d98897372a46213216bd4 (diff) | |
download | gitlab-ce-8d0b026ac70cbb52afbf0d61b88925c5d1d33d94.tar.gz |
Merge branch 'security-64519-nested-graphql-query-can-cause-denial-of-service' into 'master'
Nested GraphQL query with circular relationship can cause Denial of Service
See merge request gitlab/gitlabhq!3360
Diffstat (limited to 'spec/support/helpers')
-rw-r--r-- | spec/support/helpers/graphql_helpers.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb index 4d2ad165fd6..6fb1d279456 100644 --- a/spec/support/helpers/graphql_helpers.rb +++ b/spec/support/helpers/graphql_helpers.rb @@ -129,6 +129,7 @@ module GraphqlHelpers allow_unlimited_graphql_complexity allow_unlimited_graphql_depth + allow_high_graphql_recursion type = GitlabSchema.types[class_name.to_s] return "" unless type @@ -213,6 +214,23 @@ module GraphqlHelpers end end + def expect_graphql_errors_to_include(regexes_to_match) + raise "No errors. Was expecting to match #{regexes_to_match}" if graphql_errors.nil? || graphql_errors.empty? + + error_messages = flattened_errors.collect { |error_hash| error_hash["message"] } + Array.wrap(regexes_to_match).flatten.each do |regex| + expect(error_messages).to include a_string_matching regex + end + end + + def expect_graphql_errors_to_be_empty + expect(flattened_errors).to be_empty + end + + def flattened_errors + Array.wrap(graphql_errors).flatten.compact + end + # Raises an error if no response is found def graphql_mutation_response(mutation_name) graphql_data.fetch(GraphqlHelpers.fieldnamerize(mutation_name)) @@ -260,6 +278,10 @@ module GraphqlHelpers allow_any_instance_of(GitlabSchema).to receive(:max_depth).and_return nil allow(GitlabSchema).to receive(:max_query_depth).with(any_args).and_return nil end + + def allow_high_graphql_recursion + allow_any_instance_of(Gitlab::Graphql::QueryAnalyzers::RecursionAnalyzer).to receive(:recursion_threshold).and_return 1000 + end end # This warms our schema, doing this as part of loading the helpers to avoid |