Avoid graphql query injection vulnerability in remaining graphql queries

Use the "variables" feature to avoid string interpolation in making these queries.
rackerlabs · Nov 20, 2024 · 84afca5 · 84afca5
1 parent 29b987e
commit 84afca5
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 30 deletions.
diff --git a/python/understack-workflows/tests/test_nautobot_device.py b/python/understack-workflows/tests/test_nautobot_device.py
@@ -26,10 +26,10 @@ def update(self, *_):
             pass
 
     class Graphql:
-        def query(self, graphql, variables=None):
-            if "pattern" in graphql and variables:
+        def query(self, graphql, variables: dict):
+            if "pattern" in variables:
                 return FakeNautobot.SwitchResponse()
-            if "33GSW04" in graphql:
+            if "serial" in variables:
                 return FakeNautobot.GraphqlResponse(
                     "json_samples/bmc_chassis_info/R7615/nautobot_graphql_response_server_device_33GSW04.json"
                 )

diff --git a/python/understack-workflows/understack_workflows/main/undersync_device.py b/python/understack-workflows/understack_workflows/main/undersync_device.py
@@ -60,9 +60,15 @@ def update_nautobot_for_provisioning(
 
 
 def vlan_group_id_for(device_id, nautobot):
-    result = nautobot.session.graphql.query(
-        f'{{device(id: "{device_id}") {{ rel_vlan_group_to_devices {{id}}}}}}'
-    )
+    query = """
+        query($device_id: ID!){
+            device(id: $device_id) {
+                rel_vlan_group_to_devices {id}
+            }
+        }
+    """
+    variables = {"device_id": device_id}
+    result = nautobot.session.graphql.query(query=query, variables=variables)
     if not result.json or result.json.get("errors"):
         raise Exception(f"Nautobot vlan_group graphql query failed: {result}")
     return result.json["data"]["device"]["rel_vlan_group_to_devices"]["id"]

diff --git a/python/understack-workflows/understack_workflows/nautobot_device.py b/python/understack-workflows/understack_workflows/nautobot_device.py
@@ -222,33 +222,35 @@ def _parse_manufacturer(name: str) -> str:
 
 
 def nautobot_server(nautobot, serial: str) -> NautobotDevice | None:
-    query = f"""{{
-        devices(serial: ["{serial}"]){{
-            id name
-            location {{ id name }}
-            rack {{ id name }}
-            interfaces {{
+    query = """
+        query($serial: String!){
+            devices(serial: [$serial]){
                 id name
-                type description mac_address
-                status {{ name }}
-                connected_interface {{
+                location { id name }
+                rack { id name }
+                interfaces {
                     id name
-                    device {{
+                    type description mac_address
+                    status { name }
+                    connected_interface {
                         id name
-                        mac: cf_chassis_mac_address
-                        location {{ id name }}
-                        rack {{ id name }}
-                    }}
-                }}
-                ip_addresses {{
-                    id host
-                    parent {{ prefix }}
-                }}
-            }}
-        }}
-    }}"""
-
-    result = nautobot.graphql.query(query)
+                        device {
+                            id name
+                            mac: cf_chassis_mac_address
+                            location { id name }
+                            rack { id name }
+                        }
+                    }
+                    ip_addresses {
+                        id host
+                        parent { prefix }
+                    }
+                }
+            }
+        }
+    """
+
+    result = nautobot.graphql.query(query, variables={"serial": serial})
     if not result.json or result.json.get("errors"):
         raise Exception(f"Nautobot server graphql query failed: {result}")