Graphql-js: input validation too loose for string and boolean

Created on 29 Mar 2017 · 3Comments · Source: graphql/graphql-js

this

{ "foo": [1, 2, 3]}

is a correct payload for the muation

export default mutationWithClientMutationId({
  name: 'Test',

  inputFields: {
    foo: { type: new GraphQLNonNull(GraphQLString) },
  },
...

happening beacuse of this.

Clearly [1, 2, 3] is not a string and this should probably be rejected. This kind of coercion makes sense for output types, but for mutation input this seems very odd, even more so considering that other things are validated (non-nullness, integers). I mean, if [1, 2, 3] is a string, then why isn't "foo" a valid integer? I am seeing a disparity here. Is there a reason for that?

bug

Source

itajaja

Most helpful comment

Coercion of booleans also seems invalid:

{"foo": "false"}

will be coerced to true by GraphQL Boolean Type without raising errors (here) even if specs explicitly says:

When expected as an input type, only boolean input values are accepted. 
All other input values must raise a query error indicating an incorrect type.

vladar on 20 Sep 2017

👍2

All 3 comments

This looks like a bug similar to #827

https://facebook.github.io/graphql/#sec-String

leebyron on 29 Apr 2017

Coercion of booleans also seems invalid:

{"foo": "false"}

will be coerced to true by GraphQL Boolean Type without raising errors (here) even if specs explicitly says:

When expected as an input type, only boolean input values are accepted. 
All other input values must raise a query error indicating an incorrect type.

vladar on 20 Sep 2017

👍2

Now fixed in master and will be included in the next release

leebyron on 7 Dec 2017

🎉1

Was this page helpful?

0 / 5 - 0 ratings