Merge branch 'main' into dependabot/uv/authlib-1.6.11

Author: omar2535

.gitignore

@@ -28,6 +28,7 @@ dist/
 *-test/
 *-tests/
 graphqler-output/
+graphqler-output-no-llm/
 
 # Codeql
 codeql/

graphqler/__main__.py

@@ -11,7 +11,7 @@
 from graphqler.graph import GraphGenerator
 from graphqler.utils.stats import Stats
 from graphqler.utils.cli_utils import set_auth_token_constant, set_idor_auth_token_constant, is_compiled
-from graphqler.utils.config_handler import parse_config, set_config, generate_new_config, does_config_file_exist_in_path
+from graphqler.utils.config_handler import parse_config, set_config, generate_new_config, does_config_file_exist_in_path, write_config_to_toml
 from graphqler.utils.file_utils import get_or_create_directory
 from graphqler import config
 
@@ -187,6 +187,12 @@ def main(args: dict):
     if args.get('use_llm'):
         config.USE_LLM = True
         print("(P) LLM mode enabled via CLI flag")
+    if args.get('no_llm_compilation'):
+        config.LLM_USE_FOR_COMPILATION = False
+        print("(P) LLM disabled for compilation phase")
+    if args.get('no_llm_fuzzing'):
+        config.LLM_USE_FOR_FUZZING = False
+        print("(P) LLM disabled for fuzzing phase")
     if args.get('llm_report'):
         config.LLM_ENABLE_REPORTER = True
     if args.get('llm_model'):
@@ -203,6 +209,14 @@ def main(args: dict):
         config.DISABLE_MUTATIONS = True
         print("(P) Mutation fuzzing disabled — only Query chains will be generated")
 
+    # Apply detections CLI override
+    if args.get('no_detections'):
+        config.SKIP_INJECTION_ATTACKS = True
+        config.SKIP_MISC_ATTACKS = True
+        config.SKIP_DOS_ATTACKS = True
+        config.SKIP_ENUMERATION_ATTACKS = True
+        print("(P) All detections disabled")
+
     # Apply ablation CLI overrides
     if args.get('no_objects_bucket'):
         config.USE_OBJECTS_BUCKET = False
@@ -220,6 +234,19 @@ def main(args: dict):
         config.SKIP_SUBSCRIPTIONS = False
         print("(P) Subscription fuzzing enabled")
 
+    if args.get('no_endpoint_results'):
+        config.SAVE_ENDPOINT_RESULTS = False
+        print("(P) Endpoint results writing disabled")
+
+    if args.get('classic_coverage'):
+        config.NO_DATA_COUNT_AS_SUCCESS = True
+    if args.get('debug'):
+        config.DEBUG = True
+        print("(P) Classic coverage mode enabled — all non-error responses count as successes")
+
+    # Persist the final resolved config (file defaults + CLI overrides) back to disk
+    write_config_to_toml(f"{args['path']}/{config.CONFIG_FILE_NAME}")
+
     # Initialize the compiler and fuzzer
     compiler = Compiler(args['path'], args['url'])
     # Start the program
@@ -298,12 +325,15 @@ def main(args: dict):
     parser.add_argument("--node", help="node to run (only used in single mode)", required=False)
     parser.add_argument("--plugins-path", help="path to plugins directory", required=False)
     parser.add_argument("--use-llm", help="enable LLM-powered features: dependency graph inference, endpoint classification, IDOR chain classification, and UAF chain classification (requires LLM_MODEL and credentials)", action="store_true", default=False)
+    parser.add_argument("--no-llm-compilation", help="disable LLM during the compilation phase (dependency resolver, IDOR/UAF chain classifiers) — overrides --use-llm for that phase", action="store_true", default=False)
+    parser.add_argument("--no-llm-fuzzing", help="disable LLM during the fuzzing phase (payload generation, error retry, endpoint classification, report) — overrides --use-llm for that phase", action="store_true", default=False)
     parser.add_argument("--llm-report", help="generate an LLM vulnerability report (report.md) after fuzzing completes — requires --use-llm", action="store_true", default=False)
     parser.add_argument("--llm-model", help="litellm model string, e.g. 'gpt-4o-mini', 'ollama/llama3', 'anthropic/claude-3-5-haiku-20241022'", required=False)
     parser.add_argument("--llm-api-key", help="API key for the LLM provider (or set OPENAI_API_KEY / ANTHROPIC_API_KEY env var)", required=False)
     parser.add_argument("--llm-base-url", help="custom base URL for LLM endpoint (required for Ollama and LiteLLM proxies)", required=False)
     parser.add_argument("--llm-max-retries", help="number of retries when LLM returns non-JSON (default: 2)", type=int, required=False)
     parser.add_argument("--disable-mutations", help="only generate and run Query chains — all Mutation nodes are excluded from fuzzing", action="store_true", default=False)
+    parser.add_argument("--no-detections", help="disable all vulnerability detections (injection, misc, DoS, enumeration, API-level checks)", action="store_true", default=False)
 
     # Ablation / research flags
     parser.add_argument("--no-objects-bucket", help="ablation: disable the objects bucket — requests carry no state from prior responses", action="store_true", default=False)
@@ -312,7 +342,9 @@ def main(args: dict):
     parser.add_argument("--allow-deletion", help="remove objects from the bucket when a DELETE mutation succeeds (default: off)", action="store_true", default=False)
     parser.add_argument("--subscriptions", help="enable fuzzing of GraphQL subscriptions via WebSocket (disabled by default — requires WebSocket support on the target)", action="store_true", default=False)
 
-    parser.add_argument("--version", help="display version", action="store_true")
+    parser.add_argument("--no-endpoint-results", help="skip writing per-endpoint result files to disk (useful when results are very large)", action="store_true", default=False)
+    parser.add_argument("--classic-coverage", help="count responses with no data as successes (sets NO_DATA_COUNT_AS_SUCCESS=true)", action="store_true", default=False)
+    parser.add_argument("--debug", help="enable debug mode: runs the fuzzer in a thread instead of a subprocess so pdb/breakpoint() work", action="store_true", default=False)
 
     # MCP server flags (handled before argument parsing; registered here for --help visibility)
     parser.add_argument("--mcp", help="launch the GraphQLer MCP server (requires pip install GraphQLer[mcp])", action="store_true", default=False)

graphqler/chains/chain.py

@@ -1,5 +1,6 @@
 """Chain dataclass representing an ordered sequence of nodes to execute."""
 
+import uuid
 from dataclasses import dataclass, field
 from graphqler.graph.node import Node
 
@@ -32,6 +33,7 @@ class Chain:
 
     steps: list[ChainStep] = field(default_factory=list)
     name: str = ""
+    id: str = field(default_factory=lambda: str(uuid.uuid4()))
     confidence: float = 1.0  # classifier score; 1.0 for statically-derived chains, heuristic score for IDOR candidates
     reason: str = ""         # human-readable explanation (if applicable)
 

graphqler/chains/chain_generator.py

@@ -1,5 +1,6 @@
 """ChainGenerator: generates, saves, and loads dependency chains."""
 
+import uuid
 from pathlib import Path
 
 import networkx
@@ -70,6 +71,7 @@ def save_to_yaml(self, save_path: str) -> None:
             data = []
             for chain in chains:
                 entry: dict = {
+                    "id": chain.id,
                     "steps": [{"node": step.node.name, "profile": step.profile_name} for step in chain.steps],
                     "confidence": round(chain.confidence, 4),
                     "reason": chain.reason,
@@ -120,6 +122,7 @@ def load_from_yaml(self, save_path: str, graph: networkx.DiGraph) -> list[Chain]
 
                 if steps:
                     chains.append(Chain(
+                        id=entry.get("id", str(uuid.uuid4())),
                         steps=steps,
                         confidence=entry.get("idor_confidence", entry.get("confidence", 1.0)),
                         reason=entry.get("idor_reason", entry.get("reason", "")),

graphqler/chains/strategies/idor_strategy.py

@@ -61,7 +61,7 @@ def generate(self, graph: networkx.DiGraph | None, starter_nodes: list[Node],
                                                         f"heuristic: {reason}"))
                 continue
 
-            if config.IDOR_USE_LLM_FALLBACK and config.USE_LLM:
+            if config.IDOR_USE_LLM_FALLBACK and config.USE_LLM and config.LLM_USE_FOR_COMPILATION:
                 is_candidate, llm_reason = llm_idor_classifier.classify(chain, split_index)
                 if is_candidate:
                     effective_split = split_index if split_index > 0 else self._last_create_split(chain)

graphqler/chains/strategies/uaf_strategy.py

@@ -87,7 +87,7 @@ def generate(self, graph: networkx.DiGraph | None, starter_nodes: list[Node],
                                                        f"heuristic: {reason}"))
                 continue
 
-            if config.UAF_USE_LLM_FALLBACK and config.USE_LLM:
+            if config.UAF_USE_LLM_FALLBACK and config.USE_LLM and config.LLM_USE_FOR_COMPILATION:
                 is_candidate, llm_reason = llm_uaf_classifier.classify(chain, split_index)
                 if is_candidate:
                     effective_split = split_index if split_index > 0 else self._last_delete_split(chain)

graphqler/compiler/compiler.py

@@ -193,7 +193,7 @@ def run_resolvers_and_save(self, introspection_result: dict):
         objects = ObjectDependencyResolver().resolve(objects)
         objects = ObjectMethodResolver().resolve(objects, queries, mutations)
 
-        if config.USE_LLM:
+        if config.USE_LLM and config.LLM_USE_FOR_COMPILATION:
             print(f"(C) Using LLM resolver ({config.LLM_MODEL}) for dependency graph inference …")
             mut_resolver = LLMMutationObjectResolver()
             qry_resolver = LLMQueryObjectResolver()

graphqler/compiler/resolvers/mutation_object_resolver.py

@@ -4,6 +4,9 @@
 hardDependsOn: A dictionary of inputname-object name that is required
                in the input (NON-NULL), depends on, ie: {'userId': 'User'}
 softDependsOn: A dictionary of inputname-object name, depends on, ie: {'userId': 'User'}
+produces:      A string containing the inner object type that a list/connection mutation produces
+               (e.g. 'Country').  Populated when the output type is a connection/wrapper
+               whose items/nodes/edges field holds OBJECT elements.
 """
 
 import re
@@ -35,12 +38,12 @@ def resolve(
         for mutation_name, mutation in mutations.items():
             mutation_type = self.get_mutation_action(mutation_name, mutation["description"])
             inputs_related_to_ids = self.get_inputs_related_to_ids(mutation["inputs"], input_objects)
-            resolved_objects_to_inputs = self.resolve_inputs_related_to_ids_to_objects(mutation_name, inputs_related_to_ids, objects)
+            resolved_objects_to_inputs = self.resolve_inputs_related_to_ids_to_objects(mutation_name, inputs_related_to_ids, objects, operation=mutation)
 
-            # Assign the enrichments
             mutations[mutation_name]["hardDependsOn"] = resolved_objects_to_inputs["hardDependsOn"]
             mutations[mutation_name]["softDependsOn"] = resolved_objects_to_inputs["softDependsOn"]
             mutations[mutation_name]["mutationType"] = mutation_type
+            mutations[mutation_name]["produces"] = self._resolve_produces(mutation, objects)
 
         return mutations
 

graphqler/compiler/resolvers/query_object_resolver.py

@@ -3,6 +3,10 @@
 hardDependsOn: A dictionary of inputname-object name that is required
                in the input (NON-NULL), depends on, ie: {'userId': 'User'}
 softDependsOn: A dictionary of inputname-object name, depends on, ie: {'userId': 'User'}
+produces:      A string containing the inner object type that a list/connection query produces
+               (e.g. 'Country').  Populated when the output type is a connection/wrapper
+               whose items/nodes/edges field holds OBJECT elements — used to drive scheduling
+               in the dependency graph so list queries run before singular ID-argument queries.
 """
 
 from .resolver import Resolver
@@ -18,22 +22,25 @@ def resolve(
         queries: dict,
         input_objects: dict,
     ) -> dict:
-        """Resolve query inputs to queries based on semantical understanding of IDs
+        """Resolve query inputs to queries based on semantical understanding of IDs.
+        Also annotates list/connection queries with a ``produces`` field containing
+        the inner item type so the dependency graph can order list queries before
+        singular ID-argument queries.
 
         Args:
-            objects (dict): Objects to link the mutations to
+            objects (dict): Objects to link the queries to
             queries (dict): Queries to parse through
             input_objects (dict): Input objects to recursively search through different input object inputs
 
         Returns:
-            dict: The mutations enriched with aforementioned fields
+            dict: The queries enriched with aforementioned fields
         """
         for query_name, query in queries.items():
             inputs_related_to_ids = self.get_inputs_related_to_ids(query["inputs"], input_objects)
-            resolved_objects_to_inputs = self.resolve_inputs_related_to_ids_to_objects(query_name, inputs_related_to_ids, objects)
+            resolved_objects_to_inputs = self.resolve_inputs_related_to_ids_to_objects(query_name, inputs_related_to_ids, objects, operation=query)
 
-            # Assign the enrichments
             queries[query_name]["hardDependsOn"] = resolved_objects_to_inputs["hardDependsOn"]
             queries[query_name]["softDependsOn"] = resolved_objects_to_inputs["softDependsOn"]
+            queries[query_name]["produces"] = self._resolve_produces(query, objects)
 
         return queries