Added Number value literal lookahead restrictions (#6823)

AntonC9018 · web-flow · commit 9a718ee4c600 · 2024-01-16T10:05:51.000+01:00
diff --git a/src/HotChocolate/Core/test/Types.Analyzers.Tests/packages.lock.json b/src/HotChocolate/Core/test/Types.Analyzers.Tests/packages.lock.json
diff --git a/src/HotChocolate/Diagnostics/test/Diagnostics.Tests/__snapshots__/ServerInstrumentationTests.Http_Post_parser_error.snap b/src/HotChocolate/Diagnostics/test/Diagnostics.Tests/__snapshots__/ServerInstrumentationTests.Http_Post_parser_error.snap
@@ -26,7 +26,7 @@
             {
               "Name": "Error",
               "Tags": {
-                "graphql.error.message": "Expected a `Name`-token, but found a `Integer`-token.",
+                "graphql.error.message": "Found a NameStart character `n` (110) following a number, which is disallowed.",
                 "graphql.error.code": "HC0011",
                 "graphql.error.location.column": 37,
                 "graphql.error.location.line": 10
diff --git a/src/HotChocolate/Diagnostics/test/Diagnostics.Tests/__snapshots__/ServerInstrumentationTests.Http_Post_parser_error__NET7.snap b/src/HotChocolate/Diagnostics/test/Diagnostics.Tests/__snapshots__/ServerInstrumentationTests.Http_Post_parser_error__NET7.snap
@@ -28,7 +28,7 @@
               "Tags": [
                 {
                   "Key": "graphql.error.message",
-                  "Value": "Expected a `Name`-token, but found a `Integer`-token."
+                  "Value": "Found a NameStart character `n` (110) following a number, which is disallowed."
                 },
                 {
                   "Key": "graphql.error.code",
diff --git a/src/HotChocolate/Fusion/test/Shared/packages.lock.json b/src/HotChocolate/Fusion/test/Shared/packages.lock.json
diff --git a/src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.Designer.cs b/src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.Designer.cs
diff --git a/src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.resx b/src/HotChocolate/Language/src/Language.Utf8/Properties/LangUtf8Resources.resx
@@ -159,6 +159,9 @@
   <data name="UnexpectedCharacter" xml:space="preserve">
     <value>Unexpected character `{0}` ({1}).</value>
   </data>
+  <data name="DisallowedNameCharacterAfterNumber" xml:space="preserve">
+    <value>Found a NameStart character `{0}` ({1}) following a number, which is disallowed.</value>
+  </data>
   <data name="InvalidCharacterEscapeSequence" xml:space="preserve">
     <value>Invalid character escape sequence: \{0}.</value>
   </data>
diff --git a/src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLReader.cs b/src/HotChocolate/Language/src/Language.Utf8/Utf8GraphQLReader.cs
@@ -339,9 +339,9 @@ private void ReadPunctuatorToken(byte code)
 
     /// <summary>
     /// Reads int tokens as specified in
-    /// http://facebook.github.io/graphql/October2016/#IntValue
+    /// http://facebook.github.io/graphql/October2021/#IntValue
     /// or a float tokens as specified in
-    /// http://facebook.github.io/graphql/October2016/#FloatValue
+    /// http://facebook.github.io/graphql/October2021/#FloatValue
     /// from the current lexer state.
     /// </summary>
     [MethodImpl(MethodImplOptions.AggressiveInlining)]
@@ -378,7 +378,8 @@ private void ReadNumberToken(byte firstCode)
             code = ReadDigits(code);
         }
 
-        if ((code | 0x20) is GraphQLConstants.E)
+        const byte lowerCaseBit = 0x20;
+        if ((code | lowerCaseBit) is GraphQLConstants.E)
         {
             isFloat = true;
             _floatFormat = Language.FloatFormat.Exponential;
@@ -388,7 +389,18 @@ private void ReadNumberToken(byte firstCode)
             {
                 code = _graphQLData[++_position];
             }
-            ReadDigits(code);
+            code = ReadDigits(code);
+        }
+
+        // Lookahead for NameStart.
+        // https://github.com/graphql/graphql-spec/pull/601
+        // NOTE:
+        // Not checking for Digit because there is no situation
+        // where that hasn't been consumed at this point.
+        if (code.IsLetterOrUnderscore() ||
+            code == GraphQLConstants.Dot)
+        {
+            throw new SyntaxException(this, DisallowedNameCharacterAfterNumber, (char)code, code);
         }
 
         _kind = isFloat
diff --git a/src/HotChocolate/Language/test/Language.Tests/Parser/ValueParserTests.cs b/src/HotChocolate/Language/test/Language.Tests/Parser/ValueParserTests.cs
@@ -48,4 +48,25 @@ public void ZeroZeroIsNotAllowed()
 
     private static IValueNode ParseValue(string value)
         => Utf8GraphQLParser.Syntax.ParseValueLiteral(value, true);
+
+    // https://github.com/graphql/graphql-spec/pull/601#issuecomment-518954455
+    // Int
+    [InlineData("0xF1")]
+    [InlineData("0b10")]
+    [InlineData("123abc")]
+    [InlineData("1_234")]
+    // Float
+    [InlineData("1.23f")]
+    [InlineData("1.234_5")]
+    [InlineData("1.2e3.")]
+    [Theory]
+    public void NameStartFollowingNumberIsNotAllowed(string input)
+    {
+        // arrange
+        // act
+        void Action() => ParseValue(input);
+
+        // assert
+        Assert.Throws<SyntaxException>(Action);
+    }
 }
diff --git a/src/HotChocolate/Language/test/Language.Tests/Parser/__snapshots__/KitchenSinkParserTests.ParseFacebookKitchenSinkQueryNullability.snap b/src/HotChocolate/Language/test/Language.Tests/Parser/__snapshots__/KitchenSinkParserTests.ParseFacebookKitchenSinkQueryNullability.snap
@@ -65,7 +65,7 @@ mutation likeStory @onMutation {
   }
 }
 
-subscription StoryLikeSubscription($input: StoryLikeSubscribeInput) @onSubscription {
+subscription StoryLikeSubscription($input: StoryLikeSubscribeInput @onVariableDefinition) @onSubscription {
   storyLikeSubscribe(input: $input) {
     story {
       likers {

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`{`
`27`	`27`	`"Name": "Error",`
`28`	`28`	`"Tags": {`
`29`		- "graphql.error.message": "Expected a `Name`-token, but found a `Integer`-token.",
	`29`	+ "graphql.error.message": "Found a NameStart character `n` (110) following a number, which is disallowed.",
`30`	`30`	`"graphql.error.code": "HC0011",`
`31`	`31`	`"graphql.error.location.column": 37,`
`32`	`32`	`"graphql.error.location.line": 10`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`"Tags": [`
`29`	`29`	`{`
`30`	`30`	`"Key": "graphql.error.message",`
`31`		- "Value": "Expected a `Name`-token, but found a `Integer`-token."
	`31`	+ "Value": "Found a NameStart character `n` (110) following a number, which is disallowed."
`32`	`32`	`},`
`33`	`33`	`{`
`34`	`34`	`"Key": "graphql.error.code",`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ mutation likeStory @onMutation {`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
`68`		`-subscription StoryLikeSubscription($input: StoryLikeSubscribeInput) @onSubscription {`
	`68`	`+subscription StoryLikeSubscription($input: StoryLikeSubscribeInput @onVariableDefinition) @onSubscription {`
`69`	`69`	`storyLikeSubscribe(input: $input) {`
`70`	`70`	`story {`
`71`	`71`	`likers {`