Socket
Socket
Sign inDemoInstall

gqlm

Package Overview
Dependencies
11
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

    gqlm

A framework for fully automatic monkey testing of GraphQL APIs

Version published
Weekly downloads
1
Maintainers
1
Install size
14.5 MB
Created
Weekly downloads
 

Changelog

Source

0.2.0

  • Add schema coverage report

Readme

Source

GQLM

🐵 A framework for fully automatic monkey testing of GraphQL APIs.

Explores GraphQL schemas with almost zero human input, discovering bugs, edge cases, and security leaks.

Installation

In an existing Node.js project, run:

npm install gqlm

Or, if you want to set up a new project just for running tests on an API, create a new directory and inside that directory, run:

npm init -y
npm install gqlm

Usage

Create a file test.gqlm.mjs with the following contents:

import { GQLM } from 'gqlm';

GQLM.run({
  url: 'https://my.graphql.api/graphql',
  count: 5,
});

Then, run node test.gqlm.mjs. This will start automatic, explorative testing of your API with up to 5 requests.

  • Test results with requests and responses are written to __gqlm__/<n>.mjs.
  • Collected memory is written to __gqlm__/memory.mjs.
  • Schema coverage is written to __gqlm__/coverage.mjs.
  • Inspect these files to determine fitness of the tested GraphQL API.
  • A good workflow is to follow up by creating integration/snapshot tests for conservation of behavior.

Example result:

export const operation = `{
  search(q: "Blades of the Darkmoon") {
    __typename
    ... on Company {
      contracts {
        customer {
          __typename
          ... on Company {
            employees {
              firstname
              lastname
              birthdate
              __typename
            }
          }
        }
      }
    }
  }
}`;

export const result = {
  status: 200,
  responseTime: 3,
  failed: false,
  data: {
    search: [
      {
        __typename: 'Company',
        contracts: [
          {
            customer: {
              __typename: 'Company',
              employees: [
                {
                  firstname: 'Dark Sun Gwyndolin',
                  lastname: '?',
                  birthdate: '2011-09-23',
                  __typename: 'Person',
                },
                {
                  firstname: 'Darkmoon Knightess',
                  lastname: '?',
                  birthdate: '2011-09-24',
                  __typename: 'Person',
                },
              ],
            },
          },
        ],
      },
    ],
  },
};

Authentication

For secured GraphQL APIs, you are free to authenticate in any way and pass headers to the GQLM options. For example:

import { GQLM } from 'gqlm';

async function run() {
  const authResponse = await fetch('https://my.oauth.api/token', {
    headers: {
      'content-type': 'application/json',
    },
    body: JSON.stringify({
      grant_type: 'password',
      username: 'foo',
      password: 'bar',
    }),
  });

  const { access_token } = await authResponse.json();

  await GQLM.run({
    url: 'https://my.graphql.api/graphql',
    requestInit: {
      headers: {
        authorization: `Bearer ${access_token}`,
      },
    },
    count: 5,
  });
}

Options

GQLM accepts the following options:

  • url: string - URL of GraphQL API to test
  • count: number - Maximum number of requests to run
  • requestInit?: RequestInit - Additional parameters for fetch(), e.g. headers
  • seed?: string - Seed for randomization; if set, GQLM will behave deterministically
  • input?: Record<string, unknown> - Map of initial data for generating inputs.
  • exit?: boolean - Should GQLM exit on the first failed request?
  • isFailure?: (result: ExecutionResult) => boolean - Callback to determine whether a GraphQL result is considered a failure.
  • outDir?: string - Output directory; defaults to __gqlm__.

Advanced Usage

Expanding the pattern for authentication above, it's possible to design arbitrary environments around GQLM, e.g.

  • starting a local server to test,
  • seeding data,
  • running with multiple users of different access levels,
  • use GQLM for load testing,
  • etc.

Additionally, you can extend the GQLM class and override some behavior (see source code).

Mutations

Currently, only GraphQL queries are supported. Mutations need some discovery on how to test them safely and make the results useful. PRs welcome!

TypeScript

Test files can also be written in TypeScript (.ts extension). Just install and use ts-node instead of node.

Keywords

FAQs

Last updated on 02 Apr 2023

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Risky Biz Podcast: How Shifts in Open Source Made It a Prime Attack Vector

Security News

Risky Biz Podcast: How Shifts in Open Source Made It a Prime Attack Vector

This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.

By Sarah Gooding  -  May 01, 2024
Introducing SSO

Product

Introducing SSO

Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.

By Alex Morais  -  Apr 29, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc