fix(server): Audits safely handle unparsable JSON in response body

enisdenjo · enisdenjo · commit f8098b62ad97 · 2022-09-07T13:09:33.000+02:00
diff --git a/src/audits/server.ts b/src/audits/server.ts
@@ -6,7 +6,12 @@
 
 import type { ExecutionResult } from 'graphql';
 import { Audit, AuditResult } from './common';
-import { assert, audit, extendedTypeof } from './utils';
+import {
+  assert,
+  assertBodyAsExecutionResult,
+  audit,
+  extendedTypeof,
+} from './utils';
 
 /**
  * Options for server audits required to check GraphQL over HTTP spec conformance.
@@ -158,8 +163,10 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
       if (contentType.includes('application/json')) {
         assert(`Content-Type ${contentType} status code`, res.status).toBe(200);
 
-        const body = await res.json();
-        assert('Body data errors', body.errors).toBeDefined();
+        assert(
+          'Body data errors',
+          (await assertBodyAsExecutionResult(res)).errors,
+        ).toBeDefined();
         return;
       }
 
@@ -345,7 +352,9 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
         }),
       });
       assert('Status code', res.status).toBe(200);
-      const result = (await res.json()) as ExecutionResult;
+      const result = (await assertBodyAsExecutionResult(
+        res,
+      )) as ExecutionResult;
       assert('Execution result', result).notToHaveProperty('errors');
     }),
     audit(
@@ -361,7 +370,7 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           method: 'GET',
         });
         assert('Status code', res.status).toBe(200);
-        const result = (await res.json()) as ExecutionResult;
+        const result = await assertBodyAsExecutionResult(res);
         assert('Execution result', result).notToHaveProperty('errors');
       },
     ),
@@ -493,7 +502,10 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           },
           body: '{ "not a JSON',
         });
-        assert('Data entry', (await res.json()).data).toBe(undefined);
+        assert(
+          'Data entry',
+          (await assertBodyAsExecutionResult(res)).data,
+        ).toBe(undefined);
       },
     ),
     audit(
@@ -530,7 +542,10 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           method: 'GET',
           headers: { accept: 'application/graphql-response+json' },
         });
-        assert('Data entry', (await res.json()).data).toBe(undefined);
+        assert(
+          'Data entry',
+          (await assertBodyAsExecutionResult(res)).data,
+        ).toBe(undefined);
       },
     ),
     audit(
@@ -567,7 +582,10 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           method: 'GET',
           headers: { accept: 'application/graphql-response+json' },
         });
-        assert('Data entry', (await res.json()).data).toBe(undefined);
+        assert(
+          'Data entry',
+          (await assertBodyAsExecutionResult(res)).data,
+        ).toBe(undefined);
       },
     ),
     audit(
@@ -604,7 +622,10 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] {
           method: 'GET',
           headers: { accept: 'application/graphql-response+json' },
         });
-        assert('Data entry', (await res.json()).data).toBe(undefined);
+        assert(
+          'Data entry',
+          (await assertBodyAsExecutionResult(res)).data,
+        ).toBe(undefined);
       },
     ),
     // TODO: how to fail and have the data entry?
diff --git a/src/audits/utils.ts b/src/audits/utils.ts
@@ -4,6 +4,7 @@
  *
  */
 
+import { ExecutionResult } from 'graphql';
 import { Audit, AuditName } from './common';
 
 export * from '../utils';
@@ -106,3 +107,19 @@ export function assert<T = unknown>(name: string, actual: T) {
     },
   };
 }
+
+/**
+ * Parses the string as JSON and safely reports parsing issues for audits.
+ *
+ * Assumes the parsed JSON will be an `ExecutionResult`.
+ *
+ * @private
+ * */
+export async function assertBodyAsExecutionResult(res: Response) {
+  const str = await res.text();
+  try {
+    return JSON.parse(str) as ExecutionResult;
+  } catch (err) {
+    throw `Response body is not valid JSON. Got ${JSON.stringify(str)}`;
+  }
+}
