Scalars: reject array serialization/coercion (#1336)

IvanGoncharov · web-flow · commit 68577079930e · 2018-06-01T12:42:20.000+03:00
Working on #1333 I noticed that you can pass arrays as scalars in a query variable, e.g. [SWAPI example](http://graphql.org/swapi-graphql/?query=query%20(%24id%3A%20ID)%20%7B%0A%20%20person(personID%3A%20%24id)%20%7B%0A%20%20%20%20name%0A%20%20%7D%0A%7D&variables=%7B%0A%20%20%22id%22%3A%20%5B1%5D%0A%7D) This PR is based on #925 but fixing same issue for types other than `String` e.g. ```js Number([1]) // 1 ```
diff --git a/src/execution/__tests__/variables-test.js b/src/execution/__tests__/variables-test.js
@@ -648,13 +648,6 @@ describe('Execute: Handles inputs', () => {
       expect(result.errors[0].originalError).not.to.equal(undefined);
     });
 
-    it('serializing an array via GraphQLString throws TypeError', () => {
-      expect(() => GraphQLString.serialize([1, 2, 3])).to.throw(
-        TypeError,
-        'String cannot represent an array value: [1,2,3]',
-      );
-    });
-
     it('reports error for non-provided variables for non-nullable inputs', () => {
       // Note: this test would typically fail validation before encountering
       // this execution error, however for queries which previously validated
diff --git a/src/type/__tests__/serialization-test.js b/src/type/__tests__/serialization-test.js
@@ -5,18 +5,27 @@
  * LICENSE file in the root directory of this source tree.
  */
 
-import { GraphQLInt, GraphQLFloat, GraphQLString, GraphQLBoolean } from '../';
+import {
+  GraphQLInt,
+  GraphQLID,
+  GraphQLFloat,
+  GraphQLString,
+  GraphQLBoolean,
+} from '../';
 
 import { describe, it } from 'mocha';
 import { expect } from 'chai';
 
 describe('Type System: Scalar coercion', () => {
-  it('serializes output int', () => {
+  it('serializes output as Int', () => {
     expect(GraphQLInt.serialize(1)).to.equal(1);
     expect(GraphQLInt.serialize('123')).to.equal(123);
     expect(GraphQLInt.serialize(0)).to.equal(0);
     expect(GraphQLInt.serialize(-1)).to.equal(-1);
     expect(GraphQLInt.serialize(1e5)).to.equal(100000);
+    expect(GraphQLInt.serialize(false)).to.equal(0);
+    expect(GraphQLInt.serialize(true)).to.equal(1);
+
     // The GraphQL specification does not allow serializing non-integer values
     // as Int to avoid accidental data loss.
     expect(() => GraphQLInt.serialize(0.1)).to.throw(
@@ -49,17 +58,19 @@ describe('Type System: Scalar coercion', () => {
     expect(() => GraphQLInt.serialize('one')).to.throw(
       'Int cannot represent non 32-bit signed integer value: one',
     );
-    expect(GraphQLInt.serialize(false)).to.equal(0);
-    expect(GraphQLInt.serialize(true)).to.equal(1);
+    // Doesn't represent number
     expect(() => GraphQLInt.serialize('')).to.throw(
       'Int cannot represent non 32-bit signed integer value: (empty string)',
     );
     expect(() => GraphQLInt.serialize(NaN)).to.throw(
       'Int cannot represent non 32-bit signed integer value: NaN',
     );
+    expect(() => GraphQLInt.serialize([5])).to.throw(
+      'Int cannot represent an array value: [5]',
+    );
   });
 
-  it('serializes output float', () => {
+  it('serializes output as Float', () => {
     expect(GraphQLFloat.serialize(1)).to.equal(1.0);
     expect(GraphQLFloat.serialize(0)).to.equal(0.0);
     expect(GraphQLFloat.serialize('123.5')).to.equal(123.5);
@@ -74,30 +85,42 @@ describe('Type System: Scalar coercion', () => {
     expect(() => GraphQLFloat.serialize(NaN)).to.throw(
       'Float cannot represent non numeric value: NaN',
     );
-
     expect(() => GraphQLFloat.serialize('one')).to.throw(
       'Float cannot represent non numeric value: one',
     );
-
     expect(() => GraphQLFloat.serialize('')).to.throw(
       'Float cannot represent non numeric value: (empty string)',
     );
+    expect(() => GraphQLFloat.serialize([5])).to.throw(
+      'Float cannot represent an array value: [5]',
+    );
   });
 
-  it('serializes output strings', () => {
-    expect(GraphQLString.serialize('string')).to.equal('string');
-    expect(GraphQLString.serialize(1)).to.equal('1');
-    expect(GraphQLString.serialize(-1.1)).to.equal('-1.1');
-    expect(GraphQLString.serialize(true)).to.equal('true');
-    expect(GraphQLString.serialize(false)).to.equal('false');
-  });
+  for (const scalar of [GraphQLString, GraphQLID]) {
+    it(`serializes output as ${scalar}`, () => {
+      expect(scalar.serialize('string')).to.equal('string');
+      expect(scalar.serialize(1)).to.equal('1');
+      expect(scalar.serialize(-1.1)).to.equal('-1.1');
+      expect(scalar.serialize(true)).to.equal('true');
+      expect(scalar.serialize(false)).to.equal('false');
 
-  it('serializes output boolean', () => {
+      expect(() => scalar.serialize([1])).to.throw(
+        'String cannot represent an array value: [1]',
+      );
+    });
+  }
+
+  it('serializes output as Boolean', () => {
     expect(GraphQLBoolean.serialize('string')).to.equal(true);
+    expect(GraphQLBoolean.serialize('false')).to.equal(true);
     expect(GraphQLBoolean.serialize('')).to.equal(false);
     expect(GraphQLBoolean.serialize(1)).to.equal(true);
     expect(GraphQLBoolean.serialize(0)).to.equal(false);
     expect(GraphQLBoolean.serialize(true)).to.equal(true);
     expect(GraphQLBoolean.serialize(false)).to.equal(false);
+
+    expect(() => GraphQLBoolean.serialize([false])).to.throw(
+      'Boolean cannot represent an array value: [false]',
+    );
   });
 });
diff --git a/src/type/scalars.js b/src/type/scalars.js
@@ -19,7 +19,12 @@ import { Kind } from '../language/kinds';
 const MAX_INT = 2147483647;
 const MIN_INT = -2147483648;
 
-function coerceInt(value: mixed): ?number {
+function coerceInt(value: mixed): number {
+  if (Array.isArray(value)) {
+    throw new TypeError(
+      `Int cannot represent an array value: [${String(value)}]`,
+    );
+  }
   if (value === '') {
     throw new TypeError(
       'Int cannot represent non 32-bit signed integer value: (empty string)',
@@ -58,7 +63,12 @@ export const GraphQLInt = new GraphQLScalarType({
   },
 });
 
-function coerceFloat(value: mixed): ?number {
+function coerceFloat(value: mixed): number {
+  if (Array.isArray(value)) {
+    throw new TypeError(
+      `Float cannot represent an array value: [${String(value)}]`,
+    );
+  }
   if (value === '') {
     throw new TypeError(
       'Float cannot represent non numeric value: (empty string)',
@@ -88,7 +98,7 @@ export const GraphQLFloat = new GraphQLScalarType({
   },
 });
 
-function coerceString(value: mixed): ?string {
+function coerceString(value: mixed): string {
   if (Array.isArray(value)) {
     throw new TypeError(
       `String cannot represent an array value: ${inspect(value)}`,
@@ -110,11 +120,20 @@ export const GraphQLString = new GraphQLScalarType({
   },
 });
 
+function coerceBoolean(value: mixed): boolean {
+  if (Array.isArray(value)) {
+    throw new TypeError(
+      `Boolean cannot represent an array value: [${String(value)}]`,
+    );
+  }
+  return Boolean(value);
+}
+
 export const GraphQLBoolean = new GraphQLScalarType({
   name: 'Boolean',
   description: 'The `Boolean` scalar type represents `true` or `false`.',
-  serialize: Boolean,
-  parseValue: Boolean,
+  serialize: coerceBoolean,
+  parseValue: coerceBoolean,
   parseLiteral(ast) {
     return ast.kind === Kind.BOOLEAN ? ast.value : undefined;
   },
@@ -128,8 +147,8 @@ export const GraphQLID = new GraphQLScalarType({
     'response as a String; however, it is not intended to be human-readable. ' +
     'When expected as an input type, any string (such as `"4"`) or integer ' +
     '(such as `4`) input value will be accepted as an ID.',
-  serialize: String,
-  parseValue: String,
+  serialize: coerceString,
+  parseValue: coerceString,
   parseLiteral(ast) {
     return ast.kind === Kind.STRING || ast.kind === Kind.INT
       ? ast.value
diff --git a/src/utilities/__tests__/coerceValue-test.js b/src/utilities/__tests__/coerceValue-test.js
