fix: validate operation body (#5537)

Author: n1ru4l

integration-tests/tests/usage-reporting/usage-reporting-format-2.spec.ts

@@ -0,0 +1,115 @@
+import { initSeed } from 'testkit/seed';
+import { TargetAccessScope } from '../../testkit/gql/graphql';
+import { getServiceHost } from '../../testkit/utils';
+
+test('valid operation is accepted', async () => {
+  const { createOrg } = await initSeed().createOwner();
+  const { createProject } = await createOrg();
+  const { createToken } = await createProject();
+  const { secret: accessToken } = await createToken({
+    targetScopes: [TargetAccessScope.RegistryWrite, TargetAccessScope.RegistryRead],
+  });
+
+  const usageAddress = await getServiceHost('usage', 8081);
+
+  const response = await fetch(`http://${usageAddress}`, {
+    method: 'POST',
+    headers: {
+      'X-Usage-API-Version': '2',
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${accessToken}`,
+    },
+    body: JSON.stringify({
+      size: 3,
+      map: {
+        c3b6d9b0: {
+          operationName: 'me',
+          operation: 'query me { me { id name } }',
+          fields: ['Query', 'Query.me', 'User', 'User.id', 'User.name'],
+        },
+      },
+      operations: [
+        {
+          operationMapKey: 'c3b6d9b0',
+          timestamp: 1663158676535,
+          execution: {
+            ok: true,
+            duration: 150000000,
+            errorsTotal: 0,
+          },
+          metadata: {
+            client: {
+              name: 'demo',
+              version: '0.0.1',
+            },
+          },
+        },
+      ],
+    }),
+  });
+  expect(response.status).toBe(200);
+  expect(await response.json()).toMatchObject({
+    id: expect.any(String),
+    operations: {
+      accepted: 1,
+      rejected: 0,
+    },
+  });
+});
+
+test('invalid operation is rejected', async () => {
+  const { createOrg } = await initSeed().createOwner();
+  const { createProject } = await createOrg();
+  const { createToken } = await createProject();
+  const { secret: accessToken } = await createToken({
+    targetScopes: [TargetAccessScope.RegistryWrite, TargetAccessScope.RegistryRead],
+  });
+
+  const usageAddress = await getServiceHost('usage', 8081);
+  // GraphQL operation is invalid at Query.me(id:)
+  const faultyOperation = 'query me { me(id: ) { id name } }';
+
+  const response = await fetch(`http://${usageAddress}`, {
+    method: 'POST',
+    headers: {
+      'X-Usage-API-Version': '2',
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${accessToken}`,
+    },
+    body: JSON.stringify({
+      size: 3,
+      map: {
+        c3b6d9b0: {
+          operationName: 'me',
+          operation: faultyOperation,
+          fields: ['Query', 'Query.me', 'User', 'User.id', 'User.name'],
+        },
+      },
+      operations: [
+        {
+          operationMapKey: 'c3b6d9b0',
+          timestamp: 1663158676535,
+          execution: {
+            ok: true,
+            duration: 150000000,
+            errorsTotal: 0,
+          },
+          metadata: {
+            client: {
+              name: 'demo',
+              version: '0.0.1',
+            },
+          },
+        },
+      ],
+    }),
+  });
+  expect(response.status).toBe(200);
+  expect(await response.json()).toMatchObject({
+    id: expect.any(String),
+    operations: {
+      accepted: 0,
+      rejected: 1,
+    },
+  });
+});

packages/services/usage/src/usage-processor-1.ts

@@ -269,21 +269,21 @@ export function validateOperationMapRecord(record: OperationMapRecord) {
   };
 }
 
-function isValidOperationBody(op: OperationMapRecord) {
-  const cached = validOperationBodyCache.get(op.operation);
+export function isValidOperationBody(operation: string) {
+  const cached = validOperationBodyCache.get(operation);
 
   if (typeof cached === 'boolean') {
     return cached;
   }
 
   try {
-    parse(op.operation, {
+    parse(operation, {
       noLocation: true,
     });
-    validOperationBodyCache.set(op.operation, true);
+    validOperationBodyCache.set(operation, true);
     return true;
   } catch (error) {
-    validOperationBodyCache.set(op.operation, false);
+    validOperationBodyCache.set(operation, false);
     return false;
   }
 }
@@ -304,7 +304,7 @@ export function validateOperation(operation: IncomingOperation, operationMap: Op
   }
 
   if (validate(operation)) {
-    if (!isValidOperationBody(operationMap[operation.operationMapKey])) {
+    if (!isValidOperationBody(operationMap[operation.operationMapKey].operation)) {
       return {
         valid: false,
         errors: [

packages/services/usage/src/usage-processor-2.ts

@@ -10,6 +10,7 @@ import * as tb from '@sinclair/typebox';
 import * as tc from '@sinclair/typebox/compiler';
 import { invalidRawOperations, rawOperationsSize, totalOperations, totalReports } from './metrics';
 import { TokensResponse } from './tokens';
+import { isValidOperationBody } from './usage-processor-1';
 
 export function usageProcessorV2(
   logger: Logger,
@@ -74,15 +75,35 @@ export function usageProcessorV2(
 
   const newKeyMappings = new Map<OperationMapRecord, string>();
 
-  function getOperationMapRecord(operationMapKey: string): string | null {
+  function getOperationMapRecordKey(operationMapKey: string): string | null {
     const operationMapRecord = incoming.map[operationMapKey] as OperationMapRecord | undefined;
 
     if (!operationMapRecord) {
+      logger.warn(
+        `Detected invalid operation. Operation map key could not be found. (target=%s): %s`,
+        token.target,
+        operationMapKey,
+      );
+      invalidRawOperations
+        .labels({
+          reason: 'operation_map_key_not_found',
+        })
+        .inc(1);
       return null;
     }
 
     let newOperationMapKey = newKeyMappings.get(operationMapRecord);
 
+    if (!isValidOperationBody(operationMapRecord.operation)) {
+      logger.warn(`Detected invalid operation (target=%s): %s`, operationMapKey);
+      invalidRawOperations
+        .labels({
+          reason: 'invalid_operation_body',
+        })
+        .inc(1);
+      return null;
+    }
+
     if (newOperationMapKey === undefined) {
       const sortedFields = operationMapRecord.fields.sort();
       newOperationMapKey = createHash('md5')
@@ -106,20 +127,10 @@ export function usageProcessorV2(
   }
 
   for (const operation of incomingOperations) {
-    const operationMapKey = getOperationMapRecord(operation.operationMapKey);
+    const operationMapKey = getOperationMapRecordKey(operation.operationMapKey);
 
     // if the record does not exist -> skip the operation
     if (operationMapKey === null) {
-      logger.warn(
-        `Detected invalid operation. Operation map key could not be found. (target=%s): %s`,
-        token.target,
-        operation.operationMapKey,
-      );
-      invalidRawOperations
-        .labels({
-          reason: 'operation_map_key_not_found',
-        })
-        .inc(1);
       continue;
     }
 
@@ -154,20 +165,10 @@ export function usageProcessorV2(
   }
 
   for (const operation of incomingSubscriptionOperations) {
-    const operationMapKey = getOperationMapRecord(operation.operationMapKey);
+    const operationMapKey = getOperationMapRecordKey(operation.operationMapKey);
 
     // if the record does not exist -> skip the operation
     if (operationMapKey === null) {
-      logger.warn(
-        `Detected invalid operation. Operation map key could not be found. (target=%s): %s`,
-        token.target,
-        operation.operationMapKey,
-      );
-      invalidRawOperations
-        .labels({
-          reason: 'operation_map_key_not_found',
-        })
-        .inc(1);
       continue;
     }