Stamp out any question of injection attacks against graphql query

Learn the lessons of the 1990s and use "variables", as God intended.
rackerlabs · Nov 20, 2024 · 29b987e · 29b987e
1 parent 00392c6
commit 29b987e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 13 deletions.
diff --git a/python/understack-workflows/tests/test_nautobot_device.py b/python/understack-workflows/tests/test_nautobot_device.py
@@ -26,8 +26,8 @@ def update(self, *_):
             pass
 
     class Graphql:
-        def query(self, graphql):
-            if "61:80" in graphql:
+        def query(self, graphql, variables=None):
+            if "pattern" in graphql and variables:
                 return FakeNautobot.SwitchResponse()
             if "33GSW04" in graphql:
                 return FakeNautobot.GraphqlResponse(

diff --git a/python/understack-workflows/understack_workflows/nautobot_device.py b/python/understack-workflows/understack_workflows/nautobot_device.py
@@ -148,19 +148,18 @@ def nautobot_switches(nautobot, mac_addresses: set[str]) -> dict[str, dict]:
     """
     pattern = "|".join(mac_addresses)
 
-    query = (
-        """{
-        devices(cf_chassis_mac_address__re: "(%s)"){
-            id name
-            mac: cf_chassis_mac_address
-            location { id name }
-            rack { id name }
+    query = """
+        query($pattern: [String!]){
+            devices(cf_chassis_mac_address__re: $pattern){
+                id name
+                mac: cf_chassis_mac_address
+                location { id name }
+                rack { id name }
+            }
         }
-    }"""
-        % pattern
-    )
+    """
 
-    result = nautobot.graphql.query(query)
+    result = nautobot.graphql.query(query, variables={"pattern": pattern})
     if not result.json or result.json.get("errors"):
         raise Exception(f"Nautobot switch graphql query failed: {result}")
     switches = result.json["data"]["devices"]