fix: ensure mis model name mismatch cannot cause unexpected behavior

aws-amplify · Nov 21, 2024 · 8ca3240 · 8ca3240
1 parent 89ad85a
commit 8ca3240
Show file tree

Hide file tree

Showing 9 changed files with 248 additions and 34 deletions.
diff --git a/.changeset/stale-apricots-turn.md b/.changeset/stale-apricots-turn.md
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/data-schema': patch
+---
+
+fix prevent mis model mismatch
diff --git a/packages/data-schema/__tests__/runtime/APIClient.test.ts b/packages/data-schema/__tests__/runtime/APIClient.test.ts
@@ -809,27 +809,39 @@ describe('generateGraphQLDocument()', () => {
     };
 
     test.each([
-      ['GET', 'User', '$userId: ID!'],
+      ['GET', userSchemaModel, '$userId: ID!'],
       [
         'GET',
-        'Product',
+        productSchemaModel,
         '$sku: String!,$factoryId: String!,$warehouseId: String!',
       ],
-      ['GET', 'person', 'getPerson'],
-      ['LIST', 'person', 'listPeople'],
-      ['LIST', 'person', '$filter: ModelPersonFilterInput'],
-      ['CREATE', 'person', '$input: CreatePersonInput!'],
-      ['UPDATE', 'person', '$input: UpdatePersonInput!'],
-      ['DELETE', 'person', '$input: DeletePersonInput!'],
-      ['ONCREATE', 'person', '$filter: ModelSubscriptionPersonFilterInput'],
-      ['ONUPDATE', 'person', '$filter: ModelSubscriptionPersonFilterInput'],
-      ['ONDELETE', 'person', '$filter: ModelSubscriptionPersonFilterInput'],
+      ['GET', personSchemaModel, 'getPerson'],
+      ['LIST', personSchemaModel, 'listPeople'],
+      ['LIST', personSchemaModel, '$filter: ModelPersonFilterInput'],
+      ['CREATE', personSchemaModel, '$input: CreatePersonInput!'],
+      ['UPDATE', personSchemaModel, '$input: UpdatePersonInput!'],
+      ['DELETE', personSchemaModel, '$input: DeletePersonInput!'],
+      [
+        'ONCREATE',
+        personSchemaModel,
+        '$filter: ModelSubscriptionPersonFilterInput',
+      ],
+      [
+        'ONUPDATE',
+        personSchemaModel,
+        '$filter: ModelSubscriptionPersonFilterInput',
+      ],
+      [
+        'ONDELETE',
+        personSchemaModel,
+        '$filter: ModelSubscriptionPersonFilterInput',
+      ],
     ])(
       '%s generates operation name or arguments for model %s to contain %s',
-      (modelOperation, modelName, expectedArgs) => {
+      (modelOperation, model, expectedArgs) => {
         const document = generateGraphQLDocument(
           mockModelDefinitions,
-          modelName,
+          model,
           modelOperation as ModelOperation,
         );
 
@@ -873,31 +885,31 @@ describe('generateGraphQLDocument()', () => {
 
     test.each([
       [
-        'EnumAsIndexPartitionKey',
+        modelIntroSchema.models.EnumAsIndexPartitionKey,
         '$status: EnumAsIndexPartitionKeyStatus!',
         getIndexMeta('EnumAsIndexPartitionKey'),
         { status: 'yes' },
       ],
       [
-        'EnumAsIndexSortKey',
+        modelIntroSchema.models.EnumAsIndexSortKey,
         '$status: ModelStringKeyConditionInput',
         getIndexMeta('EnumAsIndexSortKey'),
         { title: 'test' },
       ],
       [
-        'RefEnumAsIndexPartitionKey',
+        modelIntroSchema.models.RefEnumAsIndexPartitionKey,
         '$status: EnumIndexStatus!',
         getIndexMeta('RefEnumAsIndexPartitionKey'),
         { status: 'yes' },
       ],
       [
-        'RefEnumAsIndexSortKey',
+        modelIntroSchema.models.RefEnumAsIndexSortKey,
         '$status: ModelStringKeyConditionInput',
         getIndexMeta('RefEnumAsIndexSortKey'),
         { title: 'test' },
       ],
       [
-        'SecondaryIndexModel',
+        modelIntroSchema.models.SecondaryIndexModel,
         '$timestamp: ModelIntKeyConditionInput',
         getIndexMeta(
           'SecondaryIndexModel',
@@ -907,10 +919,10 @@ describe('generateGraphQLDocument()', () => {
       ],
     ])(
       'generates document for model %p containing input type: %p',
-      (modelName, expectedSortKeyInputString, indexMeta, args) => {
+      (model, expectedSortKeyInputString, indexMeta, args) => {
         const document = generateGraphQLDocument(
           modelIntroSchema,
-          modelName,
+          model,
           modelOperation,
           args,
           indexMeta,

diff --git a/packages/data-schema/src/runtime/internals/APIClient.ts b/packages/data-schema/src/runtime/internals/APIClient.ts
@@ -1,7 +1,6 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
 // SPDX-License-Identifier: Apache-2.0
-
 import {
   AmplifyServer,
   AssociationBelongsTo,
@@ -245,7 +244,7 @@ export function initializeModel(
               if (record[curVal]) {
                 acc[curVal] = record[curVal];
               }
-              return acc; 
+              return acc;
             },
             {},
           );
@@ -843,13 +842,11 @@ export function generateSelectionSet(
 
 export function generateGraphQLDocument(
   modelIntrospection: ModelIntrospectionSchema,
-  modelName: string,
+  modelDefinition: SchemaModel,
   modelOperation: ModelOperation,
   listArgs?: ListArgs | QueryArgs,
   indexMeta?: IndexMeta,
 ): string {
-  const modelDefinition = modelIntrospection.models[modelName];
-
   const {
     name,
     pluralName,
@@ -917,7 +914,7 @@ export function generateGraphQLDocument(
       )?.properties?.name;
 
       skQueryArgs = {
-        [compositeSkArgName]: `Model${capitalize(modelName)}${capitalize(keyName)}CompositeKeyConditionInput`,
+        [compositeSkArgName]: `Model${capitalize(name)}${capitalize(keyName)}CompositeKeyConditionInput`,
       };
     }
 
@@ -941,7 +938,7 @@ export function generateGraphQLDocument(
 
   const selectionSetFields = generateSelectionSet(
     modelIntrospection,
-    modelName,
+    name,
     selectionSet as ListArgs['selectionSet'],
   );
 
@@ -1011,7 +1008,7 @@ export function generateGraphQLDocument(
         const compositeSkArgName = resolvedSkName(sortKeyFieldNames);
 
         return {
-          [compositeSkArgName]: `Model${capitalize(modelName)}PrimaryCompositeKeyConditionInput`,
+          [compositeSkArgName]: `Model${capitalize(name)}PrimaryCompositeKeyConditionInput`,
         };
       }
     }

diff --git a/packages/data-schema/src/runtime/internals/operations/get.ts b/packages/data-schema/src/runtime/internals/operations/get.ts
@@ -92,7 +92,7 @@ function _get(
 
     const query = generateGraphQLDocument(
       modelIntrospection,
-      name,
+      model,
       operation,
       options,
     );

diff --git a/packages/data-schema/src/runtime/internals/operations/indexQuery.ts b/packages/data-schema/src/runtime/internals/operations/indexQuery.ts
@@ -120,7 +120,7 @@ function _indexQuery(
 
     const query = generateGraphQLDocument(
       modelIntrospection,
-      name,
+      model,
       'INDEX_QUERY',
       args,
       indexMeta,
@@ -189,7 +189,12 @@ function _indexQuery(
       const { data, errors } = error;
 
       // `data` is not `null`, and is not an empty object:
-      if (data !== undefined && data !== null && Object.keys(data).length !== 0 && errors) {
+      if (
+        data !== undefined &&
+        data !== null &&
+        Object.keys(data).length !== 0 &&
+        errors
+      ) {
         const [key] = Object.keys(data);
 
         if (data[key]?.items) {

diff --git a/packages/data-schema/src/runtime/internals/operations/list.ts b/packages/data-schema/src/runtime/internals/operations/list.ts
@@ -60,7 +60,7 @@ export function listFactory(
       getInternals,
       args,
       undefined,
-      customUserAgentDetails
+      customUserAgentDetails,
     );
   };
 
@@ -81,7 +81,7 @@ function _list(
 
     const query = generateGraphQLDocument(
       modelIntrospection,
-      name,
+      model,
       'LIST',
       args,
     );

diff --git a/packages/data-schema/src/runtime/internals/operations/subscription.ts b/packages/data-schema/src/runtime/internals/operations/subscription.ts
@@ -32,7 +32,7 @@ export function subscriptionFactory(
   const subscription = (args?: Record<string, any>) => {
     const query = generateGraphQLDocument(
       modelIntrospection,
-      name,
+      model,
       operation,
       args,
     );

diff --git a/...tion-tests/__tests__/defined-behavior/3-exhaustive/__snapshots__/mis-manipulation.ts.snap b/...tion-tests/__tests__/defined-behavior/3-exhaustive/__snapshots__/mis-manipulation.ts.snap
@@ -0,0 +1,56 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Manipulated MIS cannot be used to call the wrong model create an item 1`] = `
+[
+  [
+    {
+      "authMode": undefined,
+      "authToken": undefined,
+      "query": "mutation($input: CreateTodoInput!) { createTodo(input: $input) { id content createdAt updatedAt } }",
+      "variables": {
+        "input": {
+          "content": "My new todo",
+        },
+      },
+    },
+    {},
+  ],
+]
+`;
+
+exports[`Manipulated MIS cannot be used to call the wrong model delete an item 1`] = `
+[
+  [
+    {
+      "authMode": undefined,
+      "authToken": undefined,
+      "query": "mutation($input: DeleteTodoInput!) { deleteTodo(input: $input) { id content createdAt updatedAt } }",
+      "variables": {
+        "input": {
+          "id": "123123213",
+        },
+      },
+    },
+    {},
+  ],
+]
+`;
+
+exports[`Manipulated MIS cannot be used to call the wrong model update an item 1`] = `
+[
+  [
+    {
+      "authMode": undefined,
+      "authToken": undefined,
+      "query": "mutation($input: UpdateTodoInput!) { updateTodo(input: $input) { id content createdAt updatedAt } }",
+      "variables": {
+        "input": {
+          "content": "Updated content",
+          "id": "some_id",
+        },
+      },
+    },
+    {},
+  ],
+]
+`;