fix: CusrorPaginator null encoding bug

joseph-sentry · joseph-sentry · commit 7545d88dda47 · 2025-02-18T11:10:58.000-05:00
the CursorPaginator encodes `None` values as the string "None", and on
decoding it interprets that as just another string which is causing
bugs when running the SQL, because we'll be comparing random types
against a string instead of against null

this fixes that by assigning a specific value (\x1f) that is unlikely
to be in any user provided string that we would want to filter by
diff --git a/graphql_api/helpers/connection.py b/graphql_api/helpers/connection.py
@@ -2,8 +2,9 @@
 from dataclasses import dataclass
 from functools import cached_property
 from typing import Any, Dict, List, Optional
+from base64 import b64decode
 
-from cursor_pagination import CursorPage, CursorPaginator
+from cursor_pagination import CursorPage, CursorPaginator, InvalidCursor
 from django.db.models import QuerySet
 
 from codecov.commands.exceptions import ValidationError
@@ -205,6 +206,14 @@ class DictCursorPaginator(CursorPaginator):
     if the dict access fails then it throws an exception, although it would be a different
     """
 
+    def decode_cursor(self, cursor):
+        try:
+            orderings = b64decode(cursor.encode("ascii")).decode("utf8")
+            orderings = orderings.split(self.delimiter)
+            return [None if ordering == "\x1f" else ordering for ordering in orderings]
+        except (TypeError, ValueError):
+            raise InvalidCursor(self.invalid_cursor_message)
+
     def position_from_instance(self, instance):
         position = []
         for order in self.ordering:
@@ -219,7 +228,7 @@ def position_from_instance(self, instance):
                     except (KeyError, TypeError):
                         raise attr_err from None
                 parts.pop(0)
-            position.append(str(attr))
+            position.append("\x1f" if attr is None else str(attr))
         return position
 
 
diff --git a/graphql_api/helpers/tests/test_connection.py b/graphql_api/helpers/tests/test_connection.py
@@ -155,3 +155,21 @@ def test_invalid_cursors(self):
 
         with self.assertRaises(ValidationError):
             queryset_to_connection_sync(data, first=3, after="invalid")
+
+    def test_dict_cursor_paginator_null_encoding(self):
+        from graphql_api.helpers.connection import DictCursorPaginator, field_order
+
+        repo_1 = RepositoryFactory(name="a", active=None)
+        repo_2 = RepositoryFactory(name="b", active=True)
+        repo_3 = RepositoryFactory(name="c", active=False)
+        r = Repository.objects.all()
+
+        ordering = tuple(
+            field_order(field, OrderingDirection.ASC) for field in ("active",)
+        )
+
+        paginator = DictCursorPaginator(r, ordering=ordering)
+
+        assert paginator.position_from_instance(repo_1) == ["\x1f"]
+        assert paginator.position_from_instance(repo_2) == ["True"]
+        assert paginator.position_from_instance(repo_3) == ["False"]
