Enhance request body check

Closes gh-733

Author: rstoyanchev

spring-graphql/src/main/java/org/springframework/graphql/server/WebGraphQlRequest.java

@@ -84,8 +84,7 @@ public WebGraphQlRequest(
 			URI uri, HttpHeaders headers, @Nullable MultiValueMap<String, HttpCookie> cookies,
 			Map<String, Object> attributes, Map<String, Object> body, String id, @Nullable Locale locale) {
 
-		super(getKey("query", body), getKey("operationName", body), getKey("variables", body),
-				getKey("extensions", body), id, locale);
+		super(getQuery(body), getOperation(body), getMap("variables", body), getMap("extensions", body), id, locale);
 
 		Assert.notNull(uri, "URI is required'");
 		Assert.notNull(headers, "HttpHeaders is required'");
@@ -96,12 +95,31 @@ public WebGraphQlRequest(
 		this.attributes = Collections.unmodifiableMap(attributes);
 	}
 
+	private static String getQuery(Map<String, Object> body) {
+		Object value = body.get("query");
+		if (!(value instanceof String query) || !StringUtils.hasText(query)) {
+			throw new ServerWebInputException("Invalid value for 'query'");
+		}
+		return (String) value;
+	}
+
+	@Nullable
+	private static String getOperation(Map<String, Object> body) {
+		Object value = body.get("operation");
+		if (value != null && !(value instanceof String)) {
+			throw new ServerWebInputException("Invalid value for 'operation'");
+		}
+		return (String) value;
+	}
+
 	@SuppressWarnings("unchecked")
-	private static <T> T getKey(String key, Map<String, Object> body) {
-		if (key.equals("query") && !StringUtils.hasText((String) body.get(key))) {
-			throw new ServerWebInputException("No \"query\" in the request document");
+	@Nullable
+	private static Map<String, Object> getMap(String key, Map<String, Object> body) {
+		Object value = body.get(key);
+		if (value != null && !(value instanceof Map)) {
+			throw new ServerWebInputException("Invalid value for '" + key + "'");
 		}
-		return (T) body.get(key);
+		return (Map<String, Object>) value;
 	}
 
 

spring-graphql/src/test/java/org/springframework/graphql/server/WebGraphQlRequestTests.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.graphql.server;
+
+import java.net.URI;
+import java.util.Collections;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.web.server.ServerWebInputException;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+/**
+ * Unit tests for {@link WebGraphQlRequest}.
+ *
+ * @author Rossen Stoyanchev
+ */
+public class WebGraphQlRequestTests {
+
+	@Test  // gh-726
+	void invalidBody() {
+		testInvalidBody(Map.of());
+		testInvalidBody(Map.of("query", Collections.emptyMap()));
+		testInvalidBody(Map.of("query", "query { foo }", "operation", Collections.emptyMap()));
+		testInvalidBody(Map.of("query", "query { foo }", "variables", "not-a-map"));
+		testInvalidBody(Map.of("query", "query { foo }", "extensions", "not-a-map"));
+	}
+
+	private void testInvalidBody(Map<String, Object> body) {
+		assertThatThrownBy(() ->
+				new WebGraphQlRequest(
+						URI.create("/graphql"), new HttpHeaders(), new LinkedMultiValueMap<>(),
+						Collections.emptyMap(), body, "1", null))
+				.isInstanceOf(ServerWebInputException.class);
+	}
+
+
+}