Merge pull request #76 from newrelic/NR-294559-graphql

Added support for GraphQL
newrelic · Dec 11, 2024 · 0b01ef9 · 0b01ef9
2 parents 9765399 + bbb4e69
commit 0b01ef9
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 24 deletions.
diff --git a/internal/security_utils/global_utils.go b/internal/security_utils/global_utils.go
@@ -34,24 +34,25 @@ type ResponseInfo struct {
 }
 
 type RequestInfo struct {
-	Body          string              `json:"body"`
-	Headers       map[string]string   `json:"headers"`
-	URL           string              `json:"url"`
-	RawRequest    string              `json:"rawRequest"`
-	Method        string              `json:"method"`
-	ContentType   string              `json:"contentType"`
-	ContextPath   string              `json:"contextPath"`
-	ClientIP      string              `json:"clientIP"`
-	ClientPort    string              `json:"clientPort"`
-	ServerPort    string              `json:"serverPort"`
-	Protocol      string              `json:"protocol"`
-	ParameterMap  map[string][]string `json:"parameterMap"`
-	IsGRPC        bool                `json:"isGrpc"`
-	ServerName    string              `json:"serverName"`
-	DataTruncated bool                `json:"dataTruncated"`
-	BodyReader    SecWriter           `json:"-"`
-	Route         string              `json:"route"`
-	URI           string              `json:"requestURI"`
+	Body           string              `json:"body"`
+	Headers        map[string]string   `json:"headers"`
+	URL            string              `json:"url"`
+	RawRequest     string              `json:"rawRequest"`
+	Method         string              `json:"method"`
+	ContentType    string              `json:"contentType"`
+	ContextPath    string              `json:"contextPath"`
+	ClientIP       string              `json:"clientIP"`
+	ClientPort     string              `json:"clientPort"`
+	ServerPort     string              `json:"serverPort"`
+	Protocol       string              `json:"protocol"`
+	ParameterMap   map[string][]string `json:"parameterMap"`
+	IsGRPC         bool                `json:"isGrpc"`
+	ServerName     string              `json:"serverName"`
+	DataTruncated  bool                `json:"dataTruncated"`
+	BodyReader     SecWriter           `json:"-"`
+	Route          string              `json:"route"`
+	URI            string              `json:"requestURI"`
+	CustomDataType map[string]string   `json:"customDataType"`
 }
 
 type SecWriter struct {

diff --git a/internal/security_utils/security_interface.go b/internal/security_utils/security_interface.go
@@ -21,6 +21,7 @@ type Secureiface interface {
 	AssociateGoRoutine(caller, callee int64)
 	AssociateGrpcDataBytes([]byte) bool
 	AssociateGrpcInfo(bool, bool)
+	AssociategraphqlInfo(bool, bool)
 	InitSyms() error
 	CalculateOutboundApiId()
 	AssociateGrpcData(string, string)

diff --git a/security_implementation/implementation.go b/security_implementation/implementation.go
@@ -224,6 +224,24 @@ func (k Secureimpl) NewGoroutineLinker(req interface{}) {
 	}
 }
 
+func (k Secureimpl) AssociategraphqlInfo(isQuery, isVariable bool) {
+	request := getRequest(getID())
+	if request == nil {
+		logger.Debugln("(AssociategraphqlInfo) Request Not Found")
+		return
+	}
+	if request.Request.CustomDataType == nil {
+		request.Request.CustomDataType = map[string]string{}
+	}
+	if isQuery {
+		request.Request.CustomDataType["*.query"] = "GRAPHQL_QUERY"
+	}
+	if isVariable {
+		request.Request.CustomDataType["*.variables"] = "GRAPHQL_VARIABLE"
+	}
+
+}
+
 /**
  * Implementation for goroutines (created and deleted)
  */

diff --git a/security_instrumentation/sec_httpfuzz.go b/security_instrumentation/sec_httpfuzz.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/url"
 	"strconv"
 	"strings"
 	"sync"
@@ -81,11 +80,11 @@ func (httpFuzz SecHttpFuzz) ExecuteFuzzRequest(fuzzRequest *sechandler.FuzzRequr
 		secConfig.GlobalInfo.IastReplayRequest.IncreaseReplayRequestFailed()
 		return
 	}
-
-	v, err := url.ParseQuery(req.URL.RawQuery)
-	if err == nil {
-		req.URL.RawQuery = v.Encode()
-	}
+	req, _ = http.NewRequest(fuzzRequest.Method, fuzzRequestURL, strings.NewReader(fuzzRequest.Body))
+	// v, err := url.ParseQuery(req.URL.RawQuery)
+	// if err == nil {
+	// 	req.URL.RawQuery = v.Encode()
+	// }
 
 	for headerKey, headerValue := range fuzzRequest.Headers {
 		value := fmt.Sprintf("%v", headerValue)

diff --git a/security_intercept/intercept.go b/security_intercept/intercept.go
@@ -690,6 +690,8 @@ func SendEvent(caseType string, data ...interface{}) interface{} {
 		dynamodbHandler(data...)
 	case "REDIS":
 		redisHandler(data...)
+	case "GRAPHQL":
+		graphqlHandler(data...)
 
 	}
 	return nil
@@ -968,6 +970,21 @@ func redisHandler(data ...interface{}) {
 	secConfig.Secure.SendEvent("REDIS_DB_COMMAND", "REDIS", data)
 }
 
+func graphqlHandler(data ...interface{}) {
+	if data == nil || !isAgentInitialized() {
+		return
+	}
+	if len(data) < 2 {
+		return
+	}
+	query, ok := data[0].(bool)
+	variable, ok1 := data[1].(bool)
+	if ok && ok1 {
+		secConfig.Secure.AssociategraphqlInfo(query, variable)
+	}
+
+}
+
 func panicHandler(data ...interface{}) {
 
 	if nil == data || len(data) == 0 || !isAgentInitialized() {