Fix invalid extensions parameters were not handled (#3943)

* Fix handling of invalid extensions parameters

* Add release file

Author: DoctorJohn

RELEASE.md

@@ -0,0 +1,6 @@
+Release type: patch
+
+In this release, we updated Strawberry to gracefully handle requests containing
+an invalid `extensions` parameter. Previously, such requests could result in
+internal server errors. Now, Strawberry will return a 400 Bad Request response
+with a clear error message, conforming to the GraphQL over HTTP specification.

strawberry/http/async_base_view.py

@@ -541,11 +541,18 @@ async def parse_http_body(
                 "The GraphQL operation's `variables` must be an object or null, if provided.",
             )
 
+        extensions = data.get("extensions")
+        if not isinstance(extensions, (dict, type(None))):
+            raise HTTPException(
+                400,
+                "The GraphQL operation's `extensions` must be an object or null, if provided.",
+            )
+
         return GraphQLRequestData(
             query=query,
             variables=variables,
             operation_name=data.get("operationName"),
-            extensions=data.get("extensions"),
+            extensions=extensions,
             protocol=protocol,
         )
 

strawberry/http/sync_base_view.py

@@ -166,11 +166,18 @@ def parse_http_body(self, request: SyncHTTPRequestAdapter) -> GraphQLRequestData
                 "The GraphQL operation's `variables` must be an object or null, if provided.",
             )
 
+        extensions = data.get("extensions")
+        if not isinstance(extensions, (dict, type(None))):
+            raise HTTPException(
+                400,
+                "The GraphQL operation's `extensions` must be an object or null, if provided.",
+            )
+
         return GraphQLRequestData(
             query=query,
             variables=variables,
             operation_name=data.get("operationName"),
-            extensions=data.get("extensions"),
+            extensions=extensions,
         )
 
     def _handle_errors(

tests/http/clients/base.py

@@ -209,7 +209,7 @@ def _build_body(
         if variables is not None:
             body["variables"] = variables
 
-        if extensions:
+        if extensions is not None:
             body["extensions"] = extensions
 
         if files:

tests/http/test_graphql_over_http_spec.py

@@ -455,9 +455,6 @@ async def test_6a70(http_client):
     assert "errors" not in response.json
 
 
-@pytest.mark.xfail(
-    reason="OPTIONAL - Currently not supported by Strawberry", raises=AssertionError
-)
 @pytest.mark.parametrize(
     "invalid",
     ["string", 0, False, ["array"]],

tests/http/test_query.py

@@ -295,6 +295,33 @@ async def test_query_extensions(
     assert data["valueFromExtensions"] == "hello"
 
 
+@pytest.mark.parametrize(
+    "not_an_object_or_null",
+    ["string", 0, False, ["array"]],
+)
+async def test_requests_with_invalid_extension_parameter_are_rejected(
+    http_client: HttpClient, not_an_object_or_null
+):
+    response = await http_client.query(
+        query="{ __typename }",
+        extensions=not_an_object_or_null,
+    )
+
+    assert response.status_code == 400
+    message = (
+        "The GraphQL operation's `extensions` must be an object or null, if provided."
+    )
+
+    if isinstance(http_client, ChaliceHttpClient):
+        # Our Chalice integration purposely wraps error messages with a JSON object
+        assert response.json == {
+            "Code": "BadRequestError",
+            "Message": message,
+        }
+    else:
+        assert response.data == message.encode()
+
+
 @pytest.mark.parametrize("method", ["get", "post"])
 async def test_returning_status_code(
     method: Literal["get", "post"], http_client: HttpClient