Commit 46495a3
authored
Fix GraphQL authorAssociation injection into User-type nodes; log 503 on missing policy (#3413)
The DIFC proxy's GraphQL rewriter blindly injected `authorAssociation`
into **all** `nodes {}` blocks via `ReplaceAllString`. Queries with
`assignees`, `participants`, `labels`, etc. failed with `Field
'authorAssociation' doesn't exist on type 'User'`. Separately, 503
responses from missing `--policy` were not logged, making debugging
costly.
### GraphQL injection fix
- Added safe-parent allowlists per field group — only inject into `nodes
{}` blocks whose parent connection returns types that actually have the
field:
- Issue/PR fields (`author{login}`, `authorAssociation`):
`pullRequests`, `issues`, `comments`, `reviews`, `search`
- Commit fields (`author{user{login}}`): `history`
- Added `findParentField()` — walks backward from each `nodes {` match
to extract the enclosing connection field name, handling args and nested
braces
- `fieldsForTool()` now returns `([]guardFieldSet, map[string]bool)` to
thread safe parents through to injection
Before (breaks on `assignees.nodes → User`):
```graphql
assignees(first:100) { nodes {authorAssociation, login } }
```
After (skips unsafe parents):
```graphql
assignees(first:100) { nodes { login } }
comments(first:10) { nodes {author{login},authorAssociation, body } }
```
### 503 logging fix
- Replaced `log.Printf` with `logHandler.Printf` + `logger.LogError` so
missing-policy 503s appear in both debug output and `proxy.log`
- Removed unused `log` import
> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2109691296/b514/launcher.test
/tmp/go-build2109691296/b514/launcher.test
-test.testlogfile=/tmp/go-build2109691296/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I
olang.org/grpc@v1.80.0/internal/go1.25.8 .cfg x_amd64/vet --gdwarf-5
--64 -o x_amd64/vet -I 2335907/b437/_pkg_.a dU_c/JEVDElkKgVJXLgEedU_c
x_amd64/vet --gdwarf-5 g/grpc/encoding/-atomic -o x_amd64/vet` (dns
block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2109691296/b496/config.test
/tmp/go-build2109691296/b496/config.test
-test.testlogfile=/tmp/go-build2109691296/b496/testlog.txt
-test.paniconexit0 -test.timeout=10m0s ortc�� H/bin/golangci-lint run
--timeout=5m || echo "��� Warning: golangci-lint failed
(compatibility issue with Go 1.25.0). Continuing with other
checks..."; \
elif command -v golan 1.80.0/balancer_wrapper.go
64/pkg/tool/linux_amd64/vet . -imultiarch
x86_64-linux-gnu/tmp/go-build547184664/b347/vet.cfg
64/pkg/tool/linux_amd64/vet 2335�� olang.org/grpc@v1.80.0/internal/-I
olang.org/grpc@v1.80.0/internal//tmp/go-build3905974454/b444/
x_amd64/vet . --gdwarf2 --64 x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2109691296/b514/launcher.test
/tmp/go-build2109691296/b514/launcher.test
-test.testlogfile=/tmp/go-build2109691296/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I
olang.org/grpc@v1.80.0/internal/go1.25.8 .cfg x_amd64/vet --gdwarf-5
--64 -o x_amd64/vet -I 2335907/b437/_pkg_.a dU_c/JEVDElkKgVJXLgEedU_c
x_amd64/vet --gdwarf-5 g/grpc/encoding/-atomic -o x_amd64/vet` (dns
block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2109691296/b514/launcher.test
/tmp/go-build2109691296/b514/launcher.test
-test.testlogfile=/tmp/go-build2109691296/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I
olang.org/grpc@v1.80.0/internal/go1.25.8 .cfg x_amd64/vet --gdwarf-5
--64 -o x_amd64/vet -I 2335907/b437/_pkg_.a dU_c/JEVDElkKgVJXLgEedU_c
x_amd64/vet --gdwarf-5 g/grpc/encoding/-atomic -o x_amd64/vet` (dns
block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2109691296/b523/mcp.test
/tmp/go-build2109691296/b523/mcp.test
-test.testlogfile=/tmp/go-build2109691296/b523/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>File tree
3 files changed
+254
-16
lines changed- internal/proxy
3 files changed
+254
-16
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
36 | | - | |
37 | | - | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
38 | 57 | | |
39 | 58 | | |
40 | 59 | | |
41 | | - | |
| 60 | + | |
42 | 61 | | |
43 | | - | |
| 62 | + | |
44 | 63 | | |
45 | | - | |
| 64 | + | |
46 | 65 | | |
47 | 66 | | |
48 | 67 | | |
| |||
73 | 92 | | |
74 | 93 | | |
75 | 94 | | |
76 | | - | |
| 95 | + | |
77 | 96 | | |
78 | 97 | | |
79 | 98 | | |
| |||
90 | 109 | | |
91 | 110 | | |
92 | 111 | | |
93 | | - | |
| 112 | + | |
94 | 113 | | |
95 | 114 | | |
96 | 115 | | |
| |||
108 | 127 | | |
109 | 128 | | |
110 | 129 | | |
111 | | - | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
112 | 134 | | |
113 | 135 | | |
114 | 136 | | |
| |||
134 | 156 | | |
135 | 157 | | |
136 | 158 | | |
137 | | - | |
138 | | - | |
139 | | - | |
140 | | - | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
141 | 184 | | |
142 | 185 | | |
143 | 186 | | |
144 | 187 | | |
145 | 188 | | |
146 | 189 | | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
147 | 254 | | |
148 | 255 | | |
149 | 256 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
5 | 6 | | |
6 | 7 | | |
7 | 8 | | |
| |||
247 | 248 | | |
248 | 249 | | |
249 | 250 | | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
250 | 378 | | |
251 | 379 | | |
252 | 380 | | |
| |||
284 | 412 | | |
285 | 413 | | |
286 | 414 | | |
287 | | - | |
| 415 | + | |
288 | 416 | | |
289 | 417 | | |
| 418 | + | |
290 | 419 | | |
291 | 420 | | |
| 421 | + | |
292 | 422 | | |
293 | 423 | | |
294 | 424 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
10 | 9 | | |
11 | 10 | | |
12 | 11 | | |
| |||
141 | 140 | | |
142 | 141 | | |
143 | 142 | | |
144 | | - | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
145 | 146 | | |
146 | 147 | | |
147 | 148 | | |
| |||
0 commit comments