graphql: Make sure that undefined arguments are ignored

lutter · lutter · commit 20769366ab14 · 2022-01-05T17:26:25.000-08:00
diff --git a/graphql/src/execution/query.rs b/graphql/src/execution/query.rs
@@ -739,6 +739,7 @@ impl Transform {
 
         let resolver = |name: &str| self.schema.get_named_type(name);
 
+        let mut defined_args: usize = 0;
         for argument_def in sast::get_argument_definitions(ty, field_name)
             .into_iter()
             .flatten()
@@ -747,6 +748,9 @@ impl Transform {
                 .iter_mut()
                 .find(|arg| &arg.0 == &argument_def.name)
                 .map(|arg| &mut arg.1);
+            if arg_value.is_some() {
+                defined_args += 1;
+            }
             match coercion::coerce_input_value(
                 arg_value.as_deref().cloned(),
                 &argument_def,
@@ -768,6 +772,16 @@ impl Transform {
             }
         }
 
+        if defined_args < arguments.len() {
+            // `arguments` contains undefined arguments, remove them
+            match sast::get_argument_definitions(ty, field_name) {
+                None => arguments.clear(),
+                Some(arg_defs) => {
+                    arguments.retain(|(name, _)| arg_defs.iter().any(|def| &def.name == name))
+                }
+            }
+        }
+
         if errors.is_empty() {
             Ok(())
         } else {
diff --git a/graphql/tests/query.rs b/graphql/tests/query.rs
@@ -1420,6 +1420,36 @@ fn can_use_nested_filter() {
     })
 }
 
+#[test]
+fn ignores_invalid_field_arguments() {
+    run_test_sequentially(|store| async move {
+        let deployment = setup(store.as_ref());
+        // This query has to return all the musicians since `id` is not a
+        // valid argument for the `musicians` field and must therefore be
+        // ignored
+        let result = execute_query_document(
+            &deployment.hash,
+            graphql_parser::parse_query("query { musicians(id: \"m1\") { id } } ")
+                .expect("invalid test query")
+                .into_static(),
+        )
+        .await;
+
+        let data = extract_data!(result).unwrap();
+        match data {
+            r::Value::Object(obj) => match obj.get("musicians").unwrap() {
+                r::Value::List(lst) => {
+                    assert_eq!(4, lst.len());
+                }
+                _ => panic!("expected a list of values"),
+            },
+            _ => {
+                panic!("expected an object")
+            }
+        }
+    })
+}
+
 async fn check_musicians_at(
     id: &DeploymentHash,
     query: &str,
