graphile-build - npm Package Compare versions

Comparing version 4.0.0-beta.7.2 to 4.0.0-beta.8

node8plus/makeNewBuild.js

@@ -22,2 +22,6 @@ "use strict";
 
+var _lruCache = require("lru-cache");
+
+var _lruCache2 = _interopRequireDefault(_lruCache);
+
 var _utils = require("./utils");
@@ -29,2 +33,4 @@
 
+var _crypto = require("crypto");
+
 var _package = require("../package.json");
@@ -42,2 +48,63 @@
 
+/*
+ * This should be more than enough for normal usage. If you come under a
+ * sophisticated attack then the attacker can empty this of useful values (with
+ * a lot of work) but because we use SHA1 hashes under the covers the aliases
+ * will still be consistent even after the LRU cache is exhausted. And SHA1 can
+ * produce half a million hashes per second on my machine, the LRU only gives
+ * us a 10x speedup!
+ */
+const hashCache = (0, _lruCache2.default)(100000);
+
+/*
+ * This function must never return a string longer than 56 characters.
+ *
+ * This function must only output alphanumeric and underscore characters.
+ *
+ * Collisions in SHA1 aren't problematic here (for us; they will be problematic
+ * for the user deliberately causing them, but that's their own fault!), so
+ * we'll happily take the performance boost over SHA256.
+ */
+function hashFieldAlias(str) {
+  const precomputed = hashCache.get(str);
+  if (precomputed) return precomputed;
+  const hash = (0, _crypto.createHash)("sha1").update(str).digest("hex");
+  hashCache.set(str, hash);
+  return hash;
+}
+
+/*
+ * This function may be replaced at any time, but all versions of it will
+ * always return a representation of `alias` (a valid GraphQL identifier)
+ * that:
+ *
+ *   1. won't conflict with normal GraphQL field names
+ *   2. won't be over 60 characters long (allows for systems with alias length limits, such as PG)
+ *   3. will give the same value when called multiple times within the same GraphQL query
+ *   4. matches the regex /^[@!-_A-Za-z0-9]+$/
+ *   5. will not be prefixed with `__` (as that will conflict with other Graphile internals)
+ *
+ * It does not guarantee that this alias will be human readable!
+ */
+function getSafeAliasFromAlias(alias) {
+  if (alias.length <= 60 && !alias.startsWith("@")) {
+    // Use the `@` to prevent conflicting with normal GraphQL field names, but otherwise let it through verbatim.
+    return `@${alias}`;
+  } else if (alias.length > 1024) {
+    throw new Error(`GraphQL alias '${alias}' is too long, use shorter aliases (max length 1024).`);
+  } else {
+    return `@@${hashFieldAlias(alias)}`;
+  }
+}
+
+/*
+ * This provides a "safe" version of the alias from ResolveInfo, guaranteed to
+ * never be longer than 60 characters. This makes it suitable as a PostgreSQL
+ * identifier.
+ */
+function getSafeAliasFromResolveInfo(resolveInfo) {
+  const alias = (0, _graphqlParseResolveInfo.getAliasFromResolveInfo)(resolveInfo);
+  return getSafeAliasFromAlias(alias);
+}
+
 function getNameFromType(Type) {
@@ -125,5 +192,7 @@ if (Type instanceof GraphQLSchema) {
     simplifyParsedResolveInfoFragmentWithType: _graphqlParseResolveInfo.simplifyParsedResolveInfoFragmentWithType,
-    getAliasFromResolveInfo: _graphqlParseResolveInfo.getAliasFromResolveInfo,
+    getSafeAliasFromAlias,
+    getAliasFromResolveInfo: getSafeAliasFromResolveInfo, // DEPRECATED: do not use this!
+    getSafeAliasFromResolveInfo,
     resolveAlias(data, _args, _context, resolveInfo) {
-      const alias = (0, _graphqlParseResolveInfo.getAliasFromResolveInfo)(resolveInfo);
+      const alias = getSafeAliasFromResolveInfo(resolveInfo);
       return data[alias];
@@ -130,0 +199,0 @@ },

node8plus/plugins/ClientMutationIdDescriptionPlugin.js

@@ -8,9 +8,8 @@ "use strict";
 exports.default = function ClientMutationIdDescriptionPlugin(builder) {
-  builder.hook("GraphQLInputObjectType:fields:field", (field, { extend }, { scope: { isMutationInput, fieldName }, Self }) => {
+  builder.hook("GraphQLInputObjectType:fields:field", (field, build, context) => {
+    const { extend } = build;
+    const { scope: { isMutationInput, fieldName }, Self } = context;
     if (!isMutationInput || fieldName !== "clientMutationId" || field.description) {
       return field;
     }
-    if (!field || !Self) {
-      debugger; // eslint-disable-line
-    }
     return extend(field, {
@@ -21,9 +20,8 @@ description: "An arbitrary string value with no semantic meaning. Will be included in the payload verbatim. May be used to track mutations by the client."
 
-  builder.hook("GraphQLObjectType:fields:field", (field, { extend }, { scope: { isMutationPayload, fieldName }, Self }) => {
+  builder.hook("GraphQLObjectType:fields:field", (field, build, context) => {
+    const { extend } = build;
+    const { scope: { isMutationPayload, fieldName }, Self } = context;
     if (!isMutationPayload || fieldName !== "clientMutationId" || field.description) {
       return field;
     }
-    if (!field || !Self) {
-      debugger; // eslint-disable-line
-    }
     return extend(field, {
@@ -34,9 +32,8 @@ description: "The exact same `clientMutationId` that was provided in the mutation input, unchanged and unused. May be used by a client to track mutations."
 
-  builder.hook("GraphQLObjectType:fields:field:args", (args, { extend }, { scope: { isRootMutation }, Self, field }) => {
+  builder.hook("GraphQLObjectType:fields:field:args", (args, build, context) => {
+    const { extend } = build;
+    const { scope: { isRootMutation }, Self, field } = context;
     if (!isRootMutation || !args.input || args.input.description) {
       return args;
     }
-    if (!field || !Self) {
-      debugger; // eslint-disable-line
-    }
     return Object.assign({}, args, {
@@ -43,0 +40,0 @@ input: extend(args.input, {

node8plus/plugins/MutationPayloadQueryPlugin.js

@@ -8,7 +8,5 @@ "use strict";
 exports.default = function MutationPayloadQueryPlugin(builder) {
-  builder.hook("GraphQLObjectType:fields", (fields, {
-    $$isQuery,
-    extend,
-    getTypeByName
-  }, { scope: { isMutationPayload }, Self }) => {
+  builder.hook("GraphQLObjectType:fields", (fields, build, context) => {
+    const { $$isQuery, extend, getTypeByName } = build;
+    const { scope: { isMutationPayload }, Self } = context;
     if (!isMutationPayload) {
@@ -15,0 +13,0 @@ return fields;

node8plus/plugins/MutationPlugin.js

@@ -23,3 +23,4 @@ "use strict";
 exports.default = async function MutationPlugin(builder) {
-  builder.hook("GraphQLSchema", (schema, { newWithHooks, extend, graphql: { GraphQLObjectType } }) => {
+  builder.hook("GraphQLSchema", (schema, build) => {
+    const { newWithHooks, extend, graphql: { GraphQLObjectType } } = build;
     const Mutation = newWithHooks(GraphQLObjectType, {
@@ -26,0 +27,0 @@ name: "Mutation",

node8plus/plugins/NodePlugin.js

@@ -50,14 +50,15 @@ "use strict";
 
-  builder.hook("init", function defineNodeInterfaceType(_, {
-    $$isQuery,
-    $$nodeType,
-    getTypeByName,
-    newWithHooks,
-    graphql: {
-      GraphQLNonNull,
-      GraphQLID,
-      GraphQLInterfaceType,
-      getNullableType
-    }
-  }) {
+  builder.hook("init", function defineNodeInterfaceType(_, build) {
+    const {
+      $$isQuery,
+      $$nodeType,
+      getTypeByName,
+      newWithHooks,
+      graphql: {
+        GraphQLNonNull,
+        GraphQLID,
+        GraphQLInterfaceType,
+        getNullableType
+      }
+    } = build;
     newWithHooks(GraphQLInterfaceType, {
@@ -83,3 +84,5 @@ name: "Node",
 
-  builder.hook("GraphQLObjectType:interfaces", function addNodeIdToQuery(interfaces, { getTypeByName }, { scope: { isRootQuery } }) {
+  builder.hook("GraphQLObjectType:interfaces", function addNodeIdToQuery(interfaces, build, context) {
+    const { getTypeByName } = build;
+    const { scope: { isRootQuery } } = context;
     if (!isRootQuery) {
@@ -96,6 +99,4 @@ return interfaces;
 
-  builder.hook("GraphQLObjectType:fields", (fields, build, {
-    scope: { isRootQuery },
-    fieldWithHooks
-  }) => {
+  builder.hook("GraphQLObjectType:fields", (fields, build, context) => {
+    const { scope: { isRootQuery }, fieldWithHooks } = context;
     if (!isRootQuery) {
@@ -102,0 +103,0 @@ return fields;

node8plus/plugins/QueryPlugin.js

@@ -11,8 +11,9 @@ "use strict";
   }, `Extending Build`));
-  builder.hook("GraphQLSchema", (schema, {
-    $$isQuery,
-    newWithHooks,
-    extend,
-    graphql: { GraphQLObjectType, GraphQLNonNull }
-  }) => {
+  builder.hook("GraphQLSchema", (schema, build) => {
+    const {
+      $$isQuery,
+      newWithHooks,
+      extend,
+      graphql: { GraphQLObjectType, GraphQLNonNull }
+    } = build;
     const queryType = newWithHooks(GraphQLObjectType, {
@@ -19,0 +20,0 @@ description: "The root query type which gives access points into the data universe.",

node8plus/plugins/StandardTypesPlugin.js

@@ -29,6 +29,7 @@ "use strict";
   });
-  builder.hook("init", (_, {
-    newWithHooks,
-    graphql: { GraphQLNonNull, GraphQLObjectType, GraphQLBoolean }
-  }) => {
+  builder.hook("init", (_, build) => {
+    const {
+      newWithHooks,
+      graphql: { GraphQLNonNull, GraphQLObjectType, GraphQLBoolean }
+    } = build;
     // https://facebook.github.io/relay/graphql/connections.htm#sec-undefined.PageInfo
@@ -35,0 +36,0 @@ /* const PageInfo = */

node8plus/plugins/SubscriptionPlugin.js

@@ -23,3 +23,4 @@ "use strict";
 exports.default = async function SubscriptionPlugin(builder) {
-  builder.hook("GraphQLSchema", (schema, { newWithHooks, extend, graphql: { GraphQLObjectType } }) => {
+  builder.hook("GraphQLSchema", (schema, build) => {
+    const { newWithHooks, extend, graphql: { GraphQLObjectType } } = build;
     const Subscription = newWithHooks(GraphQLObjectType, {
@@ -26,0 +27,0 @@ name: "Subscription",

package.json

 {
   "name": "graphile-build",
-  "version": "4.0.0-beta.7.2",
+  "version": "4.0.0-beta.8",
   "description": "Build a GraphQL schema from plugins",
@@ -31,3 +31,3 @@ "main": "node8plus/index.js",
     "debug": ">=2 <3",
-    "graphql-parse-resolve-info": "4.0.0-beta.7.2",
+    "graphql-parse-resolve-info": "4.0.0-beta.8",
     "lodash": ">=4 <5",
@@ -34,0 +34,0 @@ "pluralize": "7.0.0"

README.md

@@ -36,23 +36,21 @@ # graphile-build
 ) {
-  builder.hook(
-    "GraphQLObjectType:fields",
-    (fields, { extend, graphql: { GraphQLInt } }) => {
-      return extend(fields, {
-        random: {
-          type: GraphQLInt,
-          args: {
-            sides: {
-              type: GraphQLInt
-            }
-          },
-          resolve(_, { sides = myDefaultMax }) {
-            return (
-              Math.floor(Math.random() * (sides + 1 - myDefaultMin)) +
-              myDefaultMin
-            );
+  builder.hook("GraphQLObjectType:fields", (fields, build) => {
+    const { extend, graphql: { GraphQLInt } } = build;
+    return extend(fields, {
+      random: {
+        type: GraphQLInt,
+        args: {
+          sides: {
+            type: GraphQLInt
           }
+        },
+        resolve(_, { sides = myDefaultMax }) {
+          return (
+            Math.floor(Math.random() * (sides + 1 - myDefaultMin)) +
+            myDefaultMin
+          );
         }
-      });
-    }
-  );
+      }
+    });
+  });
 }
@@ -59,0 +57,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

214302

increased by4.5%

Lines of code

1237

increased by5.28%

Worsened metrics

Number of lines in readme file

120

decreased by-1.64%

Dependency changes

• + Addedgraphql-parse-resolve-info@4.0.0-beta.8(transitive)

• - Removedgraphql-parse-resolve-info@4.0.0-beta.7.2(transitive)

• Updatedgraphql-parse-resolve-info@4.0.0-beta.8