Skip to content

Commit e37768a

Browse files
committed
security(my-work): prevent GraphQL injection via username parameter
Move username and max parameters from string interpolation to GraphQL variables. Prevents potential injection attacks if username contains malicious query syntax.
1 parent f5c0a9f commit e37768a

1 file changed

Lines changed: 18 additions & 18 deletions

File tree

src/server/my-work-tool.ts

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -70,40 +70,40 @@ export function registerMyWorkTool(server: FastMCP): void {
7070
}
7171

7272
const max = args.maxResults;
73-
const query = `query {
74-
authored: search(query: "is:pr is:open author:${username}", type: ISSUE, first: ${max}) {
75-
nodes {
76-
... on PullRequest {
73+
const query = `query($username:String!,$max:Int!){
74+
authored:search(query:"is:pr is:open author:$username",type:ISSUE,first:$max){
75+
nodes{
76+
...on PullRequest{
7777
__typename number title isDraft updatedAt
78-
repository { nameWithOwner }
79-
author { login }
78+
repository{nameWithOwner}
79+
author{login}
8080
reviewDecision
81-
commits(last: 1) { nodes { commit { statusCheckRollup { state } } } }
81+
commits(last:1){nodes{commit{statusCheckRollup{state}}}}
8282
}
8383
}
8484
}
85-
reviewRequested: search(query: "is:pr is:open review-requested:${username}", type: ISSUE, first: ${max}) {
86-
nodes {
87-
... on PullRequest {
85+
reviewRequested:search(query:"is:pr is:open review-requested:$username",type:ISSUE,first:$max){
86+
nodes{
87+
...on PullRequest{
8888
__typename number title updatedAt
89-
repository { nameWithOwner }
90-
author { login }
89+
repository{nameWithOwner}
90+
author{login}
9191
}
9292
}
9393
}
94-
assignedIssues: search(query: "is:issue is:open assignee:${username}", type: ISSUE, first: ${max}) {
95-
nodes {
96-
... on Issue {
94+
assignedIssues:search(query:"is:issue is:open assignee:$username",type:ISSUE,first:$max){
95+
nodes{
96+
...on Issue{
9797
__typename number title updatedAt
98-
repository { nameWithOwner }
99-
labels(first: 5) { nodes { name } }
98+
repository{nameWithOwner}
99+
labels(first:5){nodes{name}}
100100
}
101101
}
102102
}
103103
}`;
104104

105105
try {
106-
const data = await graphqlQuery<SearchResponse>(query);
106+
const data = await graphqlQuery<SearchResponse>(query, { username, max });
107107

108108
const allAuthoredPrs = data.authored.nodes
109109
.filter((n): n is GraphQLPullRequest => n.__typename === "PullRequest")

0 commit comments

Comments
 (0)