NaAquelo
NaAquelo
PostsComments
CC#
Created by NaAquelo on 8/19/2024 in #help
How to use FieldInterceptors to sanitize String Fields in GraphQL Requests and Responses Using HotCh
I am working on ensuring that all string fields in my GraphQL requests and responses are properly sanitized to prevent XSS attacks using the HotChocolate .NET library. Here is an example of the issue I am trying to address: 
mutation NewCustomer {
    createNewCustomer(name = "<script>alert('xss')</script>") {
        customerId
        customerName
    }
}
mutation NewCustomer {
    createNewCustomer(name = "<script>alert('xss')</script>") {
        customerId
        customerName
    }
}
I have attempted two approaches so far without success: 1.) Custom Middleware Approach: I tried to create a custom middleware to sanitize inputs. However, I encountered issues because the HttpContext body contains a JSON string of the GraphQL query or response, not the actual GraphQLRequest object. Processing the raw JSON string seems impractical due to the complexity of the GraphQL query structure and the potential for numerous edge cases. 2.) TypeInterceptor Approach: I considered using a TypeInterceptor, but I am unable to find any documentation on how to implement this effectively after some google searches and on the HotChocolate website. The few available resources I am able to find are outdated, and I am struggling to apply TypeInterceptors to sanitize fields properly. I am seeking guidance on the following: Documentation: Where can I find up-to-date documentation or examples on using TypeInterceptors with HotChocolate for sanitization purposes? Recommendations: What is the best approach to sanitize string fields across all GraphQL objects, preferably through middleware or interceptors, to simplify the implementation that can be easily registered during project startup? Thank you.
2 replies
CC#
Created by NaAquelo on 12/7/2023 in #help
Is there anyway to not provide a route prefix for OData
If anyone is familiar with OData for MVC ASP.NET applications does anyone know of a way to avoid specifying a route prefix for my endpoints? At work i'm working on a legacy api running on .net framework v3 and we want to start using OData with our endpoints. My problem is that I have to specifiy a route prefix like the example below: 
app.UseMvc(routeBuilder =>
{             routeBuilder.Select().Filter().Expand().Count().OrderBy();
routeBuilder.MapODataServiceRoute("odata", "api", GetEdmModel());
routeBuilder.EnableDependencyInjection();
});
app.UseMvc(routeBuilder =>
{             routeBuilder.Select().Filter().Expand().Count().OrderBy();
routeBuilder.MapODataServiceRoute("odata", "api", GetEdmModel());
routeBuilder.EnableDependencyInjection();
});
However this involves a breaking change for my company's api as our existing tools rely on our current api url but with this change it would need to be updated to {{url}}/api which I would ideally like to avoid so I can just keep it as {{url}}. Unfortuantly just providing an empty string to MapODataServiceRoute doesn't work
1 replies