From 7da16a4f8b0109077072b9f2e77137c66c4c1e8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandru=20M=C4=83r=C4=83=C8=99teanu?= Date: Wed, 25 Sep 2024 17:24:37 +0100 Subject: [PATCH 1/6] fix: show 404 if request is GET and queries are not allowed --- strawberry/http/async_base_view.py | 3 +++ strawberry/http/sync_base_view.py | 3 +++ 2 files changed, 6 insertions(+) diff --git a/strawberry/http/async_base_view.py b/strawberry/http/async_base_view.py index 7eef89aa40..e2ea44f3d1 100644 --- a/strawberry/http/async_base_view.py +++ b/strawberry/http/async_base_view.py @@ -184,6 +184,9 @@ async def run( else: raise HTTPException(404, "Not Found") + if request_adapter.method == "GET" and not self.allow_queries_via_get: + raise HTTPException(404, "Not Found") + sub_response = await self.get_sub_response(request) context = ( await self.get_context(request, response=sub_response) diff --git a/strawberry/http/sync_base_view.py b/strawberry/http/sync_base_view.py index f1ce7ca19a..c2e0c8c840 100644 --- a/strawberry/http/sync_base_view.py +++ b/strawberry/http/sync_base_view.py @@ -180,6 +180,9 @@ def run( else: raise HTTPException(404, "Not Found") + if request_adapter.method == "GET" and not self.allow_queries_via_get: + raise HTTPException(404, "Not Found") + sub_response = self.get_sub_response(request) context = ( self.get_context(request, response=sub_response) From 8b622e8bc31eb6c61cd72bd14724d111f719822d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandru=20M=C4=83r=C4=83=C8=99teanu?= Date: Wed, 25 Sep 2024 17:38:46 +0100 Subject: [PATCH 2/6] fix: return 405; update tests --- strawberry/http/async_base_view.py | 3 ++- strawberry/http/sync_base_view.py | 3 ++- tests/http/test_query_via_get.py | 6 ++++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/strawberry/http/async_base_view.py b/strawberry/http/async_base_view.py index e2ea44f3d1..26ae9f3f4a 100644 --- a/strawberry/http/async_base_view.py +++ b/strawberry/http/async_base_view.py @@ -2,6 +2,7 @@ import asyncio import contextlib import json +from http import HTTPStatus from typing import ( Any, AsyncGenerator, @@ -185,7 +186,7 @@ async def run( raise HTTPException(404, "Not Found") if request_adapter.method == "GET" and not self.allow_queries_via_get: - raise HTTPException(404, "Not Found") + raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase) sub_response = await self.get_sub_response(request) context = ( diff --git a/strawberry/http/sync_base_view.py b/strawberry/http/sync_base_view.py index c2e0c8c840..ea075fe401 100644 --- a/strawberry/http/sync_base_view.py +++ b/strawberry/http/sync_base_view.py @@ -1,5 +1,6 @@ import abc import json +from http import HTTPStatus from typing import ( Any, Callable, @@ -181,7 +182,7 @@ def run( raise HTTPException(404, "Not Found") if request_adapter.method == "GET" and not self.allow_queries_via_get: - raise HTTPException(404, "Not Found") + raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase) sub_response = self.get_sub_response(request) context = ( diff --git a/tests/http/test_query_via_get.py b/tests/http/test_query_via_get.py index 5e7557a197..57c22af8c0 100644 --- a/tests/http/test_query_via_get.py +++ b/tests/http/test_query_via_get.py @@ -1,3 +1,5 @@ +from http import HTTPStatus + from .clients.base import HttpClient @@ -40,5 +42,5 @@ async def test_fails_if_allow_queries_via_get_false(http_client_class): response = await http_client.query(method="get", query="{ hello }") - assert response.status_code == 400 - assert "queries are not allowed when using GET" in response.text + assert response.status_code == HTTPStatus.METHOD_NOT_ALLOWED + assert response.text == HTTPStatus.METHOD_NOT_ALLOWED.phrase From e98048a816df68ad74a6eb5a464befd649f459ad Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:40:21 +0000 Subject: [PATCH 3/6] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- strawberry/http/async_base_view.py | 4 +++- strawberry/http/sync_base_view.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/strawberry/http/async_base_view.py b/strawberry/http/async_base_view.py index 26ae9f3f4a..9644ad0379 100644 --- a/strawberry/http/async_base_view.py +++ b/strawberry/http/async_base_view.py @@ -186,7 +186,9 @@ async def run( raise HTTPException(404, "Not Found") if request_adapter.method == "GET" and not self.allow_queries_via_get: - raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase) + raise HTTPException( + HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase + ) sub_response = await self.get_sub_response(request) context = ( diff --git a/strawberry/http/sync_base_view.py b/strawberry/http/sync_base_view.py index ea075fe401..c46ea4c413 100644 --- a/strawberry/http/sync_base_view.py +++ b/strawberry/http/sync_base_view.py @@ -182,7 +182,9 @@ def run( raise HTTPException(404, "Not Found") if request_adapter.method == "GET" and not self.allow_queries_via_get: - raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase) + raise HTTPException( + HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase + ) sub_response = self.get_sub_response(request) context = ( From 724a89e177478d71ce834f8ad41a3cd2cd5d207c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandru=20M=C4=83r=C4=83=C8=99teanu?= Date: Wed, 25 Sep 2024 17:41:53 +0100 Subject: [PATCH 4/6] fix: formatting --- strawberry/http/async_base_view.py | 3 ++- strawberry/http/sync_base_view.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/strawberry/http/async_base_view.py b/strawberry/http/async_base_view.py index 9644ad0379..abb83ced91 100644 --- a/strawberry/http/async_base_view.py +++ b/strawberry/http/async_base_view.py @@ -187,7 +187,8 @@ async def run( if request_adapter.method == "GET" and not self.allow_queries_via_get: raise HTTPException( - HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase + HTTPStatus.METHOD_NOT_ALLOWED, + HTTPStatus.METHOD_NOT_ALLOWED.phrase, ) sub_response = await self.get_sub_response(request) diff --git a/strawberry/http/sync_base_view.py b/strawberry/http/sync_base_view.py index c46ea4c413..4307cf1057 100644 --- a/strawberry/http/sync_base_view.py +++ b/strawberry/http/sync_base_view.py @@ -183,7 +183,8 @@ def run( if request_adapter.method == "GET" and not self.allow_queries_via_get: raise HTTPException( - HTTPStatus.METHOD_NOT_ALLOWED, HTTPStatus.METHOD_NOT_ALLOWED.phrase + HTTPStatus.METHOD_NOT_ALLOWED, + HTTPStatus.METHOD_NOT_ALLOWED.phrase, ) sub_response = self.get_sub_response(request) From 8ada7a61a411ca3565f4e94a8ffe1a397f5dacd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandru=20M=C4=83r=C4=83=C8=99teanu?= Date: Wed, 25 Sep 2024 17:44:22 +0100 Subject: [PATCH 5/6] fix: add missing RELEASE.md --- RELEASE.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 RELEASE.md diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000000..13075aa444 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,3 @@ +Release type: patch + +This release fixes an issue where a GET request is processed despite it being disallowed. From c1ac8c985d6bc52f88571da4c66f49e96bd9d981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexandru=20M=C4=83r=C4=83=C8=99teanu?= Date: Wed, 25 Sep 2024 18:02:26 +0100 Subject: [PATCH 6/6] fix: test --- tests/http/test_query_via_get.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/http/test_query_via_get.py b/tests/http/test_query_via_get.py index 57c22af8c0..58b99af6ff 100644 --- a/tests/http/test_query_via_get.py +++ b/tests/http/test_query_via_get.py @@ -43,4 +43,4 @@ async def test_fails_if_allow_queries_via_get_false(http_client_class): response = await http_client.query(method="get", query="{ hello }") assert response.status_code == HTTPStatus.METHOD_NOT_ALLOWED - assert response.text == HTTPStatus.METHOD_NOT_ALLOWED.phrase + assert HTTPStatus.METHOD_NOT_ALLOWED.phrase in response.text