ChilliCream
diff --git a/‎global.json
Lines changed: 1 addition & 2 deletions b/‎global.json
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/ErrorHelper.cs
Lines changed: 6 additions & 0 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/ErrorHelper.cs
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpGetMiddleware.cs
Lines changed: 1 addition & 1 deletion b/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpGetMiddleware.cs
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpMultipartMiddleware.cs
Lines changed: 2 additions & 2 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpMultipartMiddleware.cs
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpPostMiddleware.cs
Lines changed: 14 additions & 19 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpPostMiddleware.cs
Lines changed: 14 additions & 19 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpPostMiddlewareBase.cs
Lines changed: 3 additions & 3 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/HttpPostMiddlewareBase.cs
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/Serialization/DefaultHttpRequestParser.cs
Lines changed: 68 additions & 21 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/Serialization/DefaultHttpRequestParser.cs
Lines changed: 68 additions & 21 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/Serialization/IHttpRequestParser.cs
Lines changed: 10 additions & 10 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/Serialization/IHttpRequestParser.cs
Lines changed: 10 additions & 10 deletions
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/Subscriptions/Protocols/Apollo/ApolloSubscriptionProtocolHandler.cs
Lines changed: 22 additions & 1 deletion b/‎src/HotChocolate/AspNetCore/src/AspNetCore/Subscriptions/Protocols/Apollo/ApolloSubscriptionProtocolHandler.cs
Lines changed: 22 additions & 1 deletion
diff --git a/‎src/HotChocolate/AspNetCore/src/AspNetCore/Subscriptions/Protocols/GraphQLOverWebSocket/GraphQLOverWebSocketProtocolHandler.cs
Lines changed: 18 additions & 0 deletions b/‎src/HotChocolate/AspNetCore/src/AspNetCore/Subscriptions/Protocols/GraphQLOverWebSocket/GraphQLOverWebSocketProtocolHandler.cs
Lines changed: 18 additions & 0 deletions
@@ -1,6 +1,5 @@
 {
   "sdk": {
-    "version": "8.0.100",
-    "rollForward": "latestMinor"
+    "version": "8.0.100"
   }
 }
@@ -66,4 +66,10 @@ public static IQueryResult MultiPartRequestPreflightRequired()
             new Error(
                 ErrorHelper_MultiPartRequestPreflightRequired,
                 code: ErrorCodes.Server.MultiPartPreflightRequired));
+    
+    public static GraphQLRequestException InvalidQueryIdFormat()
+        => new GraphQLRequestException(
+            ErrorBuilder.New()
+                .SetMessage("Invalid query id format.")
+                .Build());
 }
@@ -127,7 +127,7 @@ private async Task HandleRequestAsync(HttpContext context)
         {
             try
             {
-                request = _requestParser.ReadParamsRequest(context.Request.Query);
+                request = _requestParser.ParseRequestFromParams(context.Request.Query);
             }
             catch (GraphQLRequestException ex)
             {
 
@@ -71,7 +71,7 @@ public override async Task InvokeAsync(HttpContext context)
         }
     }
 
-    protected override async ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFromBody(
+    protected override async ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestsFromBody(
         HttpRequest httpRequest,
         CancellationToken cancellationToken)
     {
@@ -89,7 +89,7 @@ protected override async ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFro
 
         // Parse the string values of interest from the IFormCollection
         var multipartRequest = ParseMultipartRequest(form);
-        var requests = RequestParser.ReadOperationsRequest(
+        var requests = RequestParser.ParseRequest(
             multipartRequest.Operations);
 
         foreach (var graphQLRequest in requests)
 
@@ -4,22 +4,17 @@
 
 namespace HotChocolate.AspNetCore;
 
-public sealed class HttpPostMiddleware : HttpPostMiddlewareBase
-{
-    public HttpPostMiddleware(
-        HttpRequestDelegate next,
-        IRequestExecutorResolver executorResolver,
-        IHttpResponseFormatter responseFormatter,
-        IHttpRequestParser requestParser,
-        IServerDiagnosticEvents diagnosticEvents,
-        string schemaName)
-        : base(
-            next,
-            executorResolver,
-            responseFormatter,
-            requestParser,
-            diagnosticEvents,
-            schemaName)
-    {
-    }
-}
+public sealed class HttpPostMiddleware(
+    HttpRequestDelegate next,
+    IRequestExecutorResolver executorResolver,
+    IHttpResponseFormatter responseFormatter,
+    IHttpRequestParser requestParser,
+    IServerDiagnosticEvents diagnosticEvents,
+    string schemaName)
+    : HttpPostMiddlewareBase(
+        next,
+        executorResolver,
+        responseFormatter,
+        requestParser,
+        diagnosticEvents,
+        schemaName);
@@ -111,7 +111,7 @@ protected async Task HandleRequestAsync(HttpContext context)
         {
             try
             {
-                requests = await GetRequestsFromBody(context.Request, context.RequestAborted);
+                requests = await ParseRequestsFromBody(context.Request, context.RequestAborted);
             }
             catch (GraphQLRequestException ex)
             {
@@ -283,10 +283,10 @@ protected async Task HandleRequestAsync(HttpContext context)
         }
     }
 
-    protected virtual ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFromBody(
+    protected virtual ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestsFromBody(
         HttpRequest request,
         CancellationToken cancellationToken)
-        => RequestParser.ReadJsonRequestAsync(request.Body, cancellationToken);
+        => RequestParser.ParseRequestAsync(request.Body, cancellationToken);
 
     private static bool TryParseOperations(
         string operationNameString,
 
@@ -1,4 +1,6 @@
 using System.Buffers;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
 using Microsoft.AspNetCore.Http;
 using HotChocolate.Language;
 using HotChocolate.Utilities;
@@ -38,12 +40,12 @@ public DefaultHttpRequestParser(
             throw new ArgumentNullException(nameof(parserOptions));
     }
 
-    public ValueTask<IReadOnlyList<GraphQLRequest>> ReadJsonRequestAsync(
+    public ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestAsync(
         Stream stream,
         CancellationToken cancellationToken) =>
-        ReadAsync(stream, false, cancellationToken);
+        ReadAsync(stream, cancellationToken);
 
-    public GraphQLRequest ReadParamsRequest(IQueryCollection parameters)
+    public GraphQLRequest ParseRequestFromParams(IQueryCollection parameters)
     {
         // next we deserialize the GET request with the query request builder ...
         string? query = parameters[QueryKey];
@@ -52,7 +54,7 @@ public GraphQLRequest ReadParamsRequest(IQueryCollection parameters)
         IReadOnlyDictionary<string, object?>? extensions = null;
 
         // if we have no query or query id we cannot execute anything.
-        if (string.IsNullOrEmpty(query) && string.IsNullOrEmpty(queryId))
+        if (string.IsNullOrWhiteSpace(query) && string.IsNullOrWhiteSpace(queryId))
         {
             // so, if we do not find a top-level query or top-level id we will try to parse
             // the extensions and look in the extensions for Apollo`s active persisted
@@ -75,6 +77,11 @@ public GraphQLRequest ReadParamsRequest(IQueryCollection parameters)
             queryId = hash;
         }
 
+        if (!string.IsNullOrWhiteSpace(queryId))
+        {
+            EnsureValidQueryId(queryId);
+        }
+
         try
         {
             string? queryHash = null;
@@ -141,19 +148,17 @@ public GraphQLRequest ReadParamsRequest(IQueryCollection parameters)
         return (queryHash, document);
     }
 
-    public IReadOnlyList<GraphQLRequest> ReadOperationsRequest(
-        string operations) =>
-        Parse(operations, _parserOptions, _documentCache, _documentHashProvider);
+    public IReadOnlyList<GraphQLRequest> ParseRequest(
+        string operations)
+        => EnsureValidQueryId(Parse(operations, _parserOptions, _documentCache, _documentHashProvider));
 
     private async ValueTask<IReadOnlyList<GraphQLRequest>> ReadAsync(
         Stream stream,
-        bool isGraphQLQuery,
         CancellationToken cancellationToken)
     {
         try
         {
-            Func<byte[], int, IReadOnlyList<GraphQLRequest>> parse =
-                isGraphQLQuery ? ParseQuery : ParseRequest;
+            Func<byte[], int, IReadOnlyList<GraphQLRequest>> parse = ParseRequest;
 
             return await BufferHelper.ReadAsync(
                 stream,
@@ -171,6 +176,10 @@ private async ValueTask<IReadOnlyList<GraphQLRequest>> ReadAsync(
                 static () => throw DefaultHttpRequestParser_MaxRequestSizeExceeded(),
                 cancellationToken);
         }
+        catch (GraphQLRequestException)
+        {
+            throw;
+        }
         catch (SyntaxException ex)
         {
             throw DefaultHttpRequestParser_SyntaxError(ex);
@@ -186,29 +195,67 @@ private IReadOnlyList<GraphQLRequest> ParseRequest(
         int bytesBuffered)
     {
         var graphQLData = new ReadOnlySpan<byte>(buffer);
-        graphQLData = graphQLData.Slice(0, bytesBuffered);
+        graphQLData = graphQLData[..bytesBuffered];
 
         var requestParser = new Utf8GraphQLRequestParser(
             graphQLData,
             _parserOptions,
             _documentCache,
             _documentHashProvider);
+        
+        return EnsureValidQueryId(requestParser.Parse());
+    }
+
+    internal static IReadOnlyList<GraphQLRequest> EnsureValidQueryId(IReadOnlyList<GraphQLRequest> requests)
+    {
+        if (requests.Count == 1)
+        {
+            var request = requests[0];
+            if (!string.IsNullOrWhiteSpace(request.QueryId))
+            {
+                EnsureValidQueryId(request.QueryId);
+            }
+            return requests;
+        }
 
-        return requestParser.Parse();
+        foreach (var request in requests)
+        {
+            if (!string.IsNullOrWhiteSpace(request.QueryId))
+            {
+                EnsureValidQueryId(request.QueryId);
+            }
+        }
+        return requests;
     }
 
-    private IReadOnlyList<GraphQLRequest> ParseQuery(
-        byte[] buffer,
-        int bytesBuffered)
+    private static void EnsureValidQueryId(string queryId)
     {
-        var graphQLData = new ReadOnlySpan<byte>(buffer);
-        graphQLData = graphQLData.Slice(0, bytesBuffered);
+        var span = queryId.AsSpan();
+        ref var start = ref MemoryMarshal.GetReference(span);
+        ref var end = ref Unsafe.Add(ref start, span.Length);
 
-        var requestParser = new Utf8GraphQLParser(graphQLData, _parserOptions);
+        while (Unsafe.IsAddressLessThan(ref start, ref end))
+        {
+            if (!IsLetterOrDigitOrUnderscoreOrHyphen((byte)start))
+            {
+                throw ErrorHelper.InvalidQueryIdFormat();
+            }
+            start = ref Unsafe.Add(ref start, 1)!;
+        }
+    }
 
-        var queryHash = _documentHashProvider.ComputeHash(graphQLData);
-        var document = requestParser.Parse();
+    [MethodImpl(MethodImplOptions.AggressiveInlining)]
+    private static bool IsLetterOrDigitOrUnderscoreOrHyphen(byte c)
+    {
+        switch (c)
+        {
+            case > 96 and < 123 or > 64 and < 91:
+            case > 47 and < 58:
+            case 45 or 95:
+                return true;
 
-        return new[] { new GraphQLRequest(document, queryHash), };
+            default:
+                return false;
+        }
     }
 }
@@ -20,29 +20,29 @@ public interface IHttpRequestParser
     /// <returns>
     /// Returns the parsed GraphQL request.
     /// </returns>
-    ValueTask<IReadOnlyList<GraphQLRequest>> ReadJsonRequestAsync(
+    ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestAsync(
         Stream requestBody,
         CancellationToken cancellationToken);
 
     /// <summary>
-    /// Parses a GraphQL HTTP GET request from the HTTP query parameters.
+    /// Parses the operations string from an GraphQL HTTP MultiPart request.
     /// </summary>
-    /// <param name="parameters">
-    /// The HTTP query parameter collection.
+    /// <param name="operations">
+    /// The operations string.
     /// </param>
     /// <returns>
     /// Returns the parsed GraphQL request.
     /// </returns>
-    GraphQLRequest ReadParamsRequest(IQueryCollection parameters);
-
+    IReadOnlyList<GraphQLRequest> ParseRequest(string operations);
+    
     /// <summary>
-    /// Parses the operations string from an GraphQL HTTP MultiPart request.
+    /// Parses a GraphQL HTTP GET request from the HTTP query parameters.
     /// </summary>
-    /// <param name="operations">
-    /// The operations string.
+    /// <param name="parameters">
+    /// The HTTP query parameter collection.
     /// </param>
     /// <returns>
     /// Returns the parsed GraphQL request.
     /// </returns>
-    IReadOnlyList<GraphQLRequest> ReadOperationsRequest(string operations);
+    GraphQLRequest ParseRequestFromParams(IQueryCollection parameters);
 }
@@ -1,6 +1,7 @@
 using System.Buffers;
 using System.Diagnostics.CodeAnalysis;
 using System.Text.Json;
+using HotChocolate.AspNetCore.Serialization;
 using HotChocolate.Language;
 using HotChocolate.Execution.Serialization;
 using HotChocolate.Utilities;
@@ -149,6 +150,25 @@ await connection.CloseAsync(
                     return;
                 }
             }
+            catch (GraphQLRequestException ex)
+            {
+                if (!root.TryGetProperty(Id, out idProp) ||
+                    idProp.ValueKind is not JsonValueKind.String ||
+                    string.IsNullOrEmpty(idProp.GetString()))
+                {
+                    await connection.CloseAsync(
+                        Apollo_OnReceive_InvalidMessageType,
+                        CloseReasons.InvalidMessage,
+                        cancellationToken);
+                    return;
+                }
+
+                await SendErrorMessageAsync(
+                    session,
+                    idProp.GetString()!,
+                    ex.Errors,
+                    cancellationToken);
+            }
             catch (SyntaxException ex)
             {
                 if (!root.TryGetProperty(Id, out idProp) ||
@@ -325,7 +345,8 @@ idProp.ValueKind is not JsonValueKind.String ||
             message = null;
             return false;
         }
-
+        
+        DefaultHttpRequestParser.EnsureValidQueryId(request);
         message = new DataStartMessage(id, request[0]);
         return true;
     }
 
@@ -1,6 +1,7 @@
 using System.Buffers;
 using System.Diagnostics.CodeAnalysis;
 using System.Text.Json;
+using HotChocolate.AspNetCore.Serialization;
 using HotChocolate.Execution.Serialization;
 using HotChocolate.Language;
 using HotChocolate.Utilities;
@@ -147,6 +148,22 @@ await SendConnectionAcceptMessage(
                     return;
                 }
             }
+            catch (GraphQLRequestException ex)
+            {
+                if (!root.TryGetProperty(Id, out idProp) ||
+                    idProp.ValueKind is not JsonValueKind.String ||
+                    string.IsNullOrEmpty(idProp.GetString()))
+                {
+                    await connection.CloseInvalidSubscribeMessageAsync(cancellationToken);
+                    return;
+                }
+                
+                await SendErrorMessageAsync(
+                    session,
+                    idProp.GetString()!,
+                    ex.Errors,
+                    cancellationToken);
+            }
             catch (SyntaxException ex)
             {
                 if (!root.TryGetProperty(Id, out idProp) ||
@@ -315,6 +332,7 @@ idProp.ValueKind is not JsonValueKind.String ||
             return false;
         }
 
+        DefaultHttpRequestParser.EnsureValidQueryId(request);
         message = new SubscribeMessage(id, request[0]);
         return true;
     }
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"sdk": {`
`3`		`- "version": "8.0.100",`
`4`		`- "rollForward": "latestMinor"`
	`3`	`+ "version": "8.0.100"`
`5`	`4`	`}`
`6`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ private async Task HandleRequestAsync(HttpContext context)`
`127`	`127`	`{`
`128`	`128`	`try`
`129`	`129`	`{`
`130`		`- request = _requestParser.ReadParamsRequest(context.Request.Query);`
	`130`	`+ request = _requestParser.ParseRequestFromParams(context.Request.Query);`
`131`	`131`	`}`
`132`	`132`	`catch (GraphQLRequestException ex)`
`133`	`133`	`{`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ public override async Task InvokeAsync(HttpContext context)`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`
`74`		`- protected override async ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFromBody(`
	`74`	`+ protected override async ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestsFromBody(`
`75`	`75`	`HttpRequest httpRequest,`
`76`	`76`	`CancellationToken cancellationToken)`
`77`	`77`	`{`
`@@ -89,7 +89,7 @@ protected override async ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFro`
`89`	`89`
`90`	`90`	`// Parse the string values of interest from the IFormCollection`
`91`	`91`	`var multipartRequest = ParseMultipartRequest(form);`
`92`		`- var requests = RequestParser.ReadOperationsRequest(`
	`92`	`+ var requests = RequestParser.ParseRequest(`
`93`	`93`	`multipartRequest.Operations);`
`94`	`94`
`95`	`95`	`foreach (var graphQLRequest in requests)`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ protected async Task HandleRequestAsync(HttpContext context)`
`111`	`111`	`{`
`112`	`112`	`try`
`113`	`113`	`{`
`114`		`- requests = await GetRequestsFromBody(context.Request, context.RequestAborted);`
	`114`	`+ requests = await ParseRequestsFromBody(context.Request, context.RequestAborted);`
`115`	`115`	`}`
`116`	`116`	`catch (GraphQLRequestException ex)`
`117`	`117`	`{`
`@@ -283,10 +283,10 @@ protected async Task HandleRequestAsync(HttpContext context)`
`283`	`283`	`}`
`284`	`284`	`}`
`285`	`285`
`286`		`- protected virtual ValueTask<IReadOnlyList<GraphQLRequest>> GetRequestsFromBody(`
	`286`	`+ protected virtual ValueTask<IReadOnlyList<GraphQLRequest>> ParseRequestsFromBody(`
`287`	`287`	`HttpRequest request,`
`288`	`288`	`CancellationToken cancellationToken)`
`289`		`- => RequestParser.ReadJsonRequestAsync(request.Body, cancellationToken);`
	`289`	`+ => RequestParser.ParseRequestAsync(request.Body, cancellationToken);`
`290`	`290`
`291`	`291`	`private static bool TryParseOperations(`
`292`	`292`	`string operationNameString,`