fix: issues caught by fuzzer

core/init.go

@@ -74,7 +74,7 @@ func (sg *SuperGraph) initConfig() error {
 	}
 
 	if c.RolesQuery == "" {
-		sg.log.Printf("WRN roles_query not defined: attribute based access control disabled")
+		sg.log.Printf("INF roles_query not defined: attribute based access control disabled")
 	}
 
 	_, userExists := sg.roles["user"]

core/internal/allow/allow.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
 	"sort"
 	"strings"
@@ -35,6 +36,7 @@ type List struct {
 type Config struct {
 	CreateIfNotExists bool
 	Persist           bool
+	Log               *log.Logger
 }
 
 func New(filename string, conf Config) (*List, error) {
@@ -80,6 +82,12 @@ func New(filename string, conf Config) (*List, error) {
 		} else {
 			al.filepath = filename
 		}
+
+		if file, err := os.OpenFile(al.filepath, os.O_RDONLY|os.O_CREATE, 0644); err != nil {
+			return nil, err
+		} else {
+			file.Close()
+		}
 	}
 
 	var err error
@@ -89,8 +97,10 @@ func New(filename string, conf Config) (*List, error) {
 
 		go func() {
 			for v := range al.saveChan {
-				if err = al.save(v); err != nil {
-					break
+				err := al.save(v)
+
+				if err != nil && conf.Log != nil {
+					conf.Log.Println("WRN allow list save:", err)
 				}
 			}
 		}()

core/internal/psql/fuzz.go

@@ -11,7 +11,7 @@ import (
 var (
 	qcompileTest, _ = qcode.NewCompiler(qcode.Config{})
 
-	schema = GetTestSchema()
+	schema, _ = GetTestSchema()
 
 	vars = map[string]string{
 		"admin_account_id": "5",
@@ -25,6 +25,37 @@ var (
 
 // FuzzerEntrypoint for Fuzzbuzz
 func Fuzz(data []byte) int {
+	err1 := query(data)
+	err2 := insert(data)
+	err3 := update(data)
+	err4 := delete(data)
+
+	if err1 != nil || err2 != nil || err3 != nil || err4 != nil {
+		return 0
+	}
+
+	return 1
+}
+
+func query(data []byte) error {
+	gql := data
+
+	qc, err1 := qcompileTest.Compile(gql, "user")
+
+	vars := map[string]json.RawMessage{
+		"data": json.RawMessage(data),
+	}
+
+	_, _, err2 := pcompileTest.CompileEx(qc, vars)
+
+	if err1 != nil {
+		return err1
+	} else {
+		return err2
+	}
+}
+
+func insert(data []byte) error {
 	gql := `mutation {
 		product(insert: $data) {
 			id
@@ -47,9 +78,57 @@ func Fuzz(data []byte) int {
 	}
 
 	_, _, err = pcompileTest.CompileEx(qc, vars)
+	return err
+}
+
+func update(data []byte) error {
+	gql := `mutation {
+		product(insert: $data) {
+			id
+			name
+			user {
+				id
+				full_name
+				email
+			}
+		}
+	}`
+
+	qc, err := qcompileTest.Compile([]byte(gql), "user")
 	if err != nil {
-		return 0
+		panic("qcompile can't fail")
 	}
 
-	return 1
+	vars := map[string]json.RawMessage{
+		"data": json.RawMessage(data),
+	}
+
+	_, _, err = pcompileTest.CompileEx(qc, vars)
+	return err
+}
+
+func delete(data []byte) error {
+	gql := `mutation {
+		product(insert: $data) {
+			id
+			name
+			user {
+				id
+				full_name
+				email
+			}
+		}
+	}`
+
+	qc, err := qcompileTest.Compile([]byte(gql), "user")
+	if err != nil {
+		panic("qcompile can't fail")
+	}
+
+	vars := map[string]json.RawMessage{
+		"data": json.RawMessage(data),
+	}
+
+	_, _, err = pcompileTest.CompileEx(qc, vars)
+	return err
 }

core/internal/psql/fuzz_test.go

@@ -0,0 +1,20 @@
+// +build gofuzz
+
+package psql
+
+import (
+	"testing"
+)
+
+var ret int
+
+func TestFuzzCrashers(t *testing.T) {
+	var crashers = []string{
+		"{\"connect\":{}}",
+		"q(q{q{q{q{q{q{q{q{",
+	}
+
+	for _, f := range crashers {
+		ret = Fuzz([]byte(f))
+	}
+}

core/internal/psql/mutate.go

@@ -542,6 +542,10 @@ func (c *compilerContext) renderConnectStmt(qc *qcode.QCode, w io.Writer,
 
 	rel := item.relPC
 
+	if rel == nil {
+		return errors.New("invalid connect value")
+	}
+
 	// Render only for parent-to-child relationship of one-to-one
 	// For this to work the child needs to found first so it's primary key
 	// can be set in the related column on the parent object.

core/internal/psql/query.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strconv"
 	"strings"
 
 	"github.com/dosco/super-graph/core/internal/qcode"
@@ -79,6 +80,10 @@ func (co *Compiler) CompileEx(qc *qcode.QCode, vars Variables) (Metadata, []byte
 }
 
 func (co *Compiler) Compile(w io.Writer, qc *qcode.QCode, vars Variables) (Metadata, error) {
+	if qc == nil {
+		return Metadata{}, fmt.Errorf("qcode is nil")
+	}
+
 	switch qc.Type {
 	case qcode.QTQuery:
 		return co.compileQuery(w, qc, vars)
@@ -1352,26 +1357,6 @@ func squoted(w io.Writer, identifier string) {
 	io.WriteString(w, `'`)
 }
 
-const charset = "0123456789"
-
 func int32String(w io.Writer, val int32) {
-	if val < 10 {
-		w.Write([]byte{charset[val]})
-		return
-	}
-
-	temp := int32(0)
-	val2 := val
-	for val2 > 0 {
-		temp *= 10
-		temp += val2 % 10
-		val2 = int32(float64(val2 / 10))
-	}
-
-	val3 := temp
-	for val3 > 0 {
-		d := val3 % 10
-		val3 /= 10
-		w.Write([]byte{charset[d]})
-	}
+	io.WriteString(w, strconv.FormatInt(int64(val), 10))
 }

core/internal/qcode/bench.10

@@ -0,0 +1,11 @@
+goos: darwin
+goarch: amd64
+pkg: github.com/dosco/super-graph/core/internal/qcode
+BenchmarkQCompile-16        	  120888	      9236 ns/op	    3755 B/op	      28 allocs/op
+BenchmarkQCompileP-16       	  502248	      2620 ns/op	    3795 B/op	      28 allocs/op
+BenchmarkParse-16           	  128370	      9294 ns/op	    3902 B/op	      18 allocs/op
+BenchmarkParseP-16          	  575752	      2340 ns/op	    3903 B/op	      18 allocs/op
+BenchmarkSchemaParse-16     	  212048	      5779 ns/op	    3968 B/op	      57 allocs/op
+BenchmarkSchemaParseP-16    	  630918	      1686 ns/op	    3968 B/op	      57 allocs/op
+PASS
+ok  	github.com/dosco/super-graph/core/internal/qcode	7.710s

core/internal/qcode/parse.go

@@ -201,6 +201,7 @@ func (p *Parser) peek(types ...itemType) bool {
 	// if p.items[n]._type == itemEOF {
 	// 	return false
 	// }
+
 	if n >= len(p.items) {
 		return false
 	}
@@ -299,7 +300,7 @@ func (p *Parser) parseFields(fields []Field) ([]Field, error) {
 			return nil, fmt.Errorf("too many fields (max %d)", maxFields)
 		}
 
-		if p.peek(itemObjClose) {
+		if p.peek(itemEOF, itemObjClose) {
 			p.ignore()
 			st.Pop()
 
@@ -385,7 +386,7 @@ func (p *Parser) parseOpParams(args []Arg) ([]Arg, error) {
 			return nil, fmt.Errorf("too many args (max %d)", maxArgs)
 		}
 
-		if p.peek(itemArgsClose) {
+		if p.peek(itemEOF, itemArgsClose) {
 			p.ignore()
 			break
 		}
@@ -403,7 +404,7 @@ func (p *Parser) parseArgs(args []Arg) ([]Arg, error) {
 			return nil, fmt.Errorf("too many args (max %d)", maxArgs)
 		}
 
-		if p.peek(itemArgsClose) {
+		if p.peek(itemEOF, itemArgsClose) {
 			p.ignore()
 			break
 		}
@@ -470,7 +471,7 @@ func (p *Parser) parseObj() (*Node, error) {
 	parent.Reset()
 
 	for {
-		if p.peek(itemObjClose) {
+		if p.peek(itemEOF, itemObjClose) {
 			p.ignore()
 			break
 		}

core/prepare.go

@@ -187,15 +187,14 @@ func (sg *SuperGraph) initAllowList() error {
 	var ac allow.Config
 	var err error
 
-	if len(sg.conf.AllowListFile) == 0 {
-		sg.conf.UseAllowList = false
-		sg.log.Printf("WRN allow list disabled no file specified")
+	if sg.conf.AllowListFile == "" {
+		sg.conf.AllowListFile = "allow.list"
 	}
 
 	// When list is not eabled it is still created and
 	// and new queries are saved to it.
 	if !sg.conf.UseAllowList {
-		ac = allow.Config{CreateIfNotExists: true, Persist: true}
+		ac = allow.Config{CreateIfNotExists: true, Persist: true, Log: sg.log}
 	}
 
 	sg.allowList, err = allow.New(sg.conf.AllowListFile, ac)

go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dlclark/regexp2 v1.2.0 // indirect
 	github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0
+	github.com/dvyukov/go-fuzz v0.0.0-20200318091601-be3528f3a813 // indirect
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/garyburd/redigo v1.6.0
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
@@ -29,6 +30,7 @@ require (
 	github.com/openzipkin/zipkin-go v0.2.2
 	github.com/pelletier/go-toml v1.7.0 // indirect
 	github.com/pkg/errors v0.9.1
+	github.com/prometheus/common v0.4.0
 	github.com/rs/cors v1.7.0
 	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/cast v1.3.1 // indirect

go.sum

@@ -35,7 +35,9 @@ github.com/adjust/gorails v0.0.0-20171013043634-2786ed0c03d3 h1:+qz9Ga6l6lKw6fgv
 github.com/adjust/gorails v0.0.0-20171013043634-2786ed0c03d3/go.mod h1:FlkD11RtgMTYjVuBnb7cxoHmQGqvPpCsr2atC88nl/M=
 github.com/akavel/rsrc v0.8.0 h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw=
 github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/aws/aws-sdk-go v1.15.27 h1:i75BxN4Es/8rTVQbEKAP1WCiIhhz635xTNeDdZJRAXQ=
@@ -85,6 +87,8 @@ github.com/dlclark/regexp2 v1.2.0 h1:8sAhBGEM0dRWogWqWyQeIJnxjWO6oIjl8FKqREDsGfk
 github.com/dlclark/regexp2 v1.2.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0 h1:EfFAcaAwGai/wlDCWwIObHBm3T2C2CCPX/SaS0fpOJ4=
 github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0/go.mod h1:Mw6PkjjMXWbTj+nnj4s3QPXq1jaT0s5pC0iFD4+BOAA=
+github.com/dvyukov/go-fuzz v0.0.0-20200318091601-be3528f3a813 h1:NgO45/5mBLRVfiXerEFzH6ikcZ7DNRPS639xFg3ENzU=
+github.com/dvyukov/go-fuzz v0.0.0-20200318091601-be3528f3a813/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
@@ -220,6 +224,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
@@ -319,6 +324,7 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV
 github.com/shurcooL/vfsgen v0.0.0-20181202132449-6a9ea43bcacd/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
@@ -543,6 +549,7 @@ google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.1 h1:q4XQuHFC6I28BKZpo6IYyb3mNO+l7lSOxRuYTCiDfXk=
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/serv/cmd.go

@@ -156,7 +156,7 @@ func cmdVersion(cmd *cobra.Command, args []string) {
 
 func BuildDetails() string {
 	if len(version) == 0 {
-		return fmt.Sprintf(`
+		return `
 Super Graph (unknown version)
 For documentation, visit https://supergraph.dev
 
@@ -166,7 +166,7 @@ To build with version information please use the Makefile
 
 Licensed under the Apache Public License 2.0
 Copyright 2020, Vikram Rangnekar
-`)
+`
 	}
 
 	return fmt.Sprintf(`

jsn/clear.go

@@ -3,6 +3,7 @@ package jsn
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"io"
 )
 
@@ -68,7 +69,12 @@ func Clear(w *bytes.Buffer, v []byte) error {
 				}
 
 				io := int(dec.InputOffset())
-				w.Write(v[io-len(v1)-2 : io])
+				s := io - len(v1) - 2
+				if io <= s || s <= 0 {
+					return errors.New("invalid json")
+				}
+
+				w.Write(v[s:io])
 				w.WriteString(`:`)
 				isValue = true
 

jsn/fuzz_test.go

@@ -8,6 +8,8 @@ import (
 	"github.com/dosco/super-graph/jsn"
 )
 
+var ret int
+
 func TestFuzzCrashers(t *testing.T) {
 	var crashers = []string{
 		"00\"0000\"0{",
@@ -56,9 +58,16 @@ func TestFuzzCrashers(t *testing.T) {
 		"0000\"0\"{",
 		"000\"000\"{",
 		"\"00000000\"{",
+		`0000"00"00000000"000000000"00"000000000000000"00000"00000": "00"0"__twitter_id": [{ "name": "hello" }, { "name": "world"}]`,
+		`0000"000000000000000000000000000000000000"00000000"000000000"00"000000000000000"00000"00000": "00000000000000"00000"__twitter_id": [{ "name": "hello" }, { "name": "world"}]`,
+		`00"__twitter_id":[{ "name": "hello" }, { "name": "world"}]`,
+		"\"\xb0\xef\xbd\xe3\xbd\xef\x99\xe3\xbd\xef\xbd\xef\xbd\xef\xbd\xe5\x99\xe3\xbd" +
+			"\xef\x99\xe3\"",
+		"\"\xef\xe3\xef\xe3\xe3\xe3\xef\xe3\xe3\xef\xe3\xef\xe3\xe3\xe3\xef\xe3\xef\xe3" +
+			"\xe3\xef\xef\xef\xe5\xe3\xef\xe3\xc6\xef\xef\xef\xe5\xe3\xef\xe3\xc6\xef\xef\"",
 	}
 
 	for _, f := range crashers {
-		_ = jsn.Fuzz([]byte(f))
+		ret = jsn.Fuzz([]byte(f))
 	}
 }

jsn/replace.go

@@ -133,9 +133,18 @@ func Replace(w *bytes.Buffer, b []byte, from, to []Field) error {
 		if e != 0 {
 			e++
 
+			if e <= s {
+				return errors.New("invalid json")
+			}
+
 			if _, err := h.Write(b[s:e]); err != nil {
 				return err
 			}
+
+			if (we + 1) <= ws {
+				return errors.New("invalid json")
+			}
+
 			n, ok := tmap[h.Sum64()]
 			h.Reset()