apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

Browse source
This commit is contained in:
pitboss 2026-05-20 18:05:31 -05:00
parent 00b0fbaea9
commit f9bd51c024
84 changed files with 5898 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tests/dynamic_fixtures/graphql_resolver/apollo/benign.js Normal file
View file

@ -0,0 +1,9 @@
// Phase 21 — Apollo resolver benign control.
const _NYX_ADAPTER_MARKER = "require('@apollo/server')";
function resolveUser(parent, args, ctx) {
const id = String(args.id || '').replace(/[^A-Za-z0-9_-]/g, '');
return { id, name: 'user-' + id };
}
module.exports = { resolveUser };

14
tests/dynamic_fixtures/graphql_resolver/apollo/vuln.js Normal file
View file

@ -0,0 +1,14 @@
// Phase 21 (Track M.3) — Apollo GraphQL resolver vuln fixture.
//
// `resolveUser(parent, args)` is a resolver from an Apollo schema that
// splices `args.id` into a SQL query via raw string concatenation —
// classic GraphQL → SQLi shape.
const _NYX_ADAPTER_MARKER = "require('@apollo/server')";
function resolveUser(parent, args, ctx) {
// SINK: tainted args.id concatenated into SQL.
const query = "SELECT * FROM users WHERE id = '" + args.id + "'";
return { id: args.id, name: 'user-' + args.id, _query: query };
}
module.exports = { resolveUser };