Variable parsing different between C# "GraphQLRequest" and json/webui

Question

Variable parsing different between C# "GraphQLRequest" and json/webui

LL-SRN opened this issue 4 months ago · 6 comments

Description

C# requires an exact match in variable names, despite this not being a requirement on the backend (or for e.g. requests made with POSTMAN)

Steps to reproduce

I don't have a publicly available endpoint for you to test this against, but the short version:

I get the expected result when I POST this:

{
    "query" :
        "query CustomsFields($AWB: String!) { shipments( filter: { shipment_awb: $AWB } ) {
            shipment {
                documents {
                    document_code
                    document_url
                }
            }
        }
    }",
    "variables" : {
        "AWB":"this string is secret"
    }
}

I get an error response when I SendQueryAsync<> this:

const string queryText = 
"""
    query CustomsFields($AWB: String!) {
        shipments(filter: { shipment_awb: $AWB }) {
	    shipment {
                documents {
                    document_code
		    document_url
                }
            }
        }
    }
""";

var client = new GraphQLHttpClient(new TestSettings().Endpoint, new SystemTextJsonSerializer());
var o = await client
    .SendQueryAsync<object>(
        new GraphQLHttpRequest(
            query: query,
            variables:new{AWB="this string is secret"} // NOTICE: Variable name is "AWB"
        )
    );

The specific error response is:

"Errors":[{"Locations":[{"Column":21,"Line":1}],"Message":"Variable '$AWB' is invalid. No value provided for a non-null variable.",

If I change the variable name from $AWB to $shipment_awb, the request succeeds with the same response as the raw post call.

EXPECTED

Variable semantics are identical for calls made with REST and calls made with SendQueryAsync

Actual

Variable semantics are not identical for etc./

Shane32 commented 4 months ago

Right

Answer 1 · 2024-05-28T11:54:08.000Z

Probably have to disable camel case conversion of variable names within the client.

Answer 2 · 2024-05-28T17:03:48.000Z

Default options include camel-case conversion:
https://github.com/graphql-dotnet/graphql-client/blob/master/src/GraphQL.Client.Serializer.SystemTextJson/SystemTextJsonSerializer.cs

Answer 3 · 2024-05-29T07:22:00.000Z

That does sounds like a potential avenue of attack

EDIT - Am I getting this right:

The query object is of type string, so no conversion is done on the text of the query. In the string, the variable is called "$AWB"

The request object is, well, an object, so fields are camel-cased.

Meaning that the server receives an object like

{
    "query":"query CustomsFields($AWB: String!) { shipments(filter: { shipment_awb: $AWB }) { ...",
    "variables":{"awb":"some value"}
}

and then of course doesn't match awb into $AWB

Answer 4 · 2024-05-29T12:07:19.000Z

I’m sure it’s configurable, but I don’t use this library. Maybe looking at some of the other issues / solutions will demonstrate how to configure the serializer.

Answer 5 · 2024-06-03T10:40:33.000Z

I second the theory that this is the JSON serializer in the client serializing AWB to Awb or something...

To test this theory, your could:

name your variable all lowercase (i.e. awb)
use a dictionary as variables object with a key AWB and the corresponding value... this way it should keep the casing