Fixed invalid base64 ID parsing (#8101)

faddiv · michaelstaib · commit bd9027ad4024 · 2025-03-11T21:02:18.000+01:00
diff --git a/src/HotChocolate/Core/src/Types/Types/Relay/Serialization/DefaultNodeIdSerializer.cs b/src/HotChocolate/Core/src/Types/Types/Relay/Serialization/DefaultNodeIdSerializer.cs
@@ -204,7 +204,12 @@ public NodeId Parse(string formattedId, INodeIdRuntimeTypeLookup runtimeTypeLook
             }
         }
 
-        Base64.DecodeFromUtf8InPlace(span, out var written);
+        var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);
+        if (operationStatus != OperationStatus.Done)
+        {
+            throw new NodeIdInvalidFormatException(formattedId);
+        }
+
         span = span.Slice(0, written);
 
         var delimiterIndex = FindDelimiterIndex(span);
@@ -275,7 +280,12 @@ public NodeId Parse(string formattedId, Type runtimeType)
             }
         }
 
-        Base64.DecodeFromUtf8InPlace(span, out var written);
+        var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);
+        if (operationStatus != OperationStatus.Done)
+        {
+            throw new NodeIdInvalidFormatException(formattedId);
+        }
+
         span = span.Slice(0, written);
 
         var delimiterIndex = FindDelimiterIndex(span);
diff --git a/src/HotChocolate/Core/src/Types/Types/Relay/Serialization/OptimizedNodeIdSerializer.cs b/src/HotChocolate/Core/src/Types/Types/Relay/Serialization/OptimizedNodeIdSerializer.cs
@@ -106,7 +106,12 @@ public unsafe NodeId Parse(string formattedId, INodeIdRuntimeTypeLookup runtimeT
             }
         }
 
-        Base64.DecodeFromUtf8InPlace(span, out var written);
+        var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);
+        if (operationStatus != OperationStatus.Done)
+        {
+            throw new NodeIdInvalidFormatException(formattedId);
+        }
+
         span = span.Slice(0, written);
 
         var delimiterIndex = FindDelimiterIndex(span);
@@ -176,7 +181,12 @@ public unsafe NodeId Parse(string formattedId, Type runtimeType)
             }
         }
 
-        Base64.DecodeFromUtf8InPlace(span, out var written);
+        var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);
+        if (operationStatus != OperationStatus.Done)
+        {
+            throw new NodeIdInvalidFormatException(formattedId);
+        }
+
         span = span.Slice(0, written);
 
         var delimiterIndex = FindDelimiterIndex(span);
diff --git a/src/HotChocolate/Core/test/Types.Tests/Types/Relay/DefaultNodeIdSerializerTests.cs b/src/HotChocolate/Core/test/Types.Tests/Types/Relay/DefaultNodeIdSerializerTests.cs
@@ -518,6 +518,26 @@ public void Parse_Legacy_StronglyTypedId()
         Assert.Equal(stronglyTypedId, parsed.InternalId);
     }
 
+    [Fact]
+    public void Parse_Throws_NodeIdInvalidFormatException_On_InvalidBase64Input()
+    {
+        var serializer = CreateSerializer(new StringNodeIdValueSerializer());
+
+        Assert.Throws<NodeIdInvalidFormatException>(
+            () => serializer.Parse("Rm9vOkJhcg", typeof(string)));
+    }
+
+    [Fact]
+    public void ParseOnRuntimeLookup_Throws_NodeIdInvalidFormatException_On_InvalidBase64Input()
+    {
+        var lookup = new Mock<INodeIdRuntimeTypeLookup>();
+        lookup.Setup(t => t.GetNodeIdRuntimeType(default)).Returns(default(Type));
+        var serializer = CreateSerializer(new StringNodeIdValueSerializer());
+
+        Assert.Throws<NodeIdInvalidFormatException>(
+            () => serializer.Parse("Rm9vOkJhcg", lookup.Object));
+    }
+
     [Fact]
     public void Ensure_Lookup_Works_With_HashCollision()
     {
diff --git a/src/HotChocolate/Core/test/Types.Tests/Types/Relay/OptimizedNodeIdSerializerTests.cs b/src/HotChocolate/Core/test/Types.Tests/Types/Relay/OptimizedNodeIdSerializerTests.cs
@@ -440,6 +440,27 @@ public void Parse_CompositeId()
         Assert.Equal(compositeId, parsed.InternalId);
     }
 
+    [Fact]
+    public void Parse_Throws_NodeIdInvalidFormatException_On_InvalidBase64Input()
+    {
+        var serializer = CreateSerializer("Foo", new StringNodeIdValueSerializer());
+
+        Assert.Throws<NodeIdInvalidFormatException>(
+            () => serializer.Parse("Rm9vOkJhcg", typeof(string)));
+    }
+
+    [Fact]
+    public void ParseOnRuntimeLookup_Throws_NodeIdInvalidFormatException_On_InvalidBase64Input()
+    {
+        var lookup = new Mock<INodeIdRuntimeTypeLookup>();
+        lookup.Setup(t => t.GetNodeIdRuntimeType(default)).Returns(default(Type));
+
+        var serializer = CreateSerializer("Foo", new StringNodeIdValueSerializer());
+
+        Assert.Throws<NodeIdInvalidFormatException>(
+            () => serializer.Parse("Rm9vOkJhcg", lookup.Object));
+    }
+
     [Fact]
     public void Ensure_Lookup_Works_With_HashCollision()
     {

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,12 @@ public NodeId Parse(string formattedId, INodeIdRuntimeTypeLookup runtimeTypeLook`
`204`	`204`	`}`
`205`	`205`	`}`
`206`	`206`
`207`		`- Base64.DecodeFromUtf8InPlace(span, out var written);`
	`207`	`+ var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);`
	`208`	`+ if (operationStatus != OperationStatus.Done)`
	`209`	`+ {`
	`210`	`+ throw new NodeIdInvalidFormatException(formattedId);`
	`211`	`+ }`
	`212`	`+`
`208`	`213`	`span = span.Slice(0, written);`
`209`	`214`
`210`	`215`	`var delimiterIndex = FindDelimiterIndex(span);`
`@@ -275,7 +280,12 @@ public NodeId Parse(string formattedId, Type runtimeType)`
`275`	`280`	`}`
`276`	`281`	`}`
`277`	`282`
`278`		`- Base64.DecodeFromUtf8InPlace(span, out var written);`
	`283`	`+ var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);`
	`284`	`+ if (operationStatus != OperationStatus.Done)`
	`285`	`+ {`
	`286`	`+ throw new NodeIdInvalidFormatException(formattedId);`
	`287`	`+ }`
	`288`	`+`
`279`	`289`	`span = span.Slice(0, written);`
`280`	`290`
`281`	`291`	`var delimiterIndex = FindDelimiterIndex(span);`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,12 @@ public unsafe NodeId Parse(string formattedId, INodeIdRuntimeTypeLookup runtimeT`
`106`	`106`	`}`
`107`	`107`	`}`
`108`	`108`
`109`		`- Base64.DecodeFromUtf8InPlace(span, out var written);`
	`109`	`+ var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);`
	`110`	`+ if (operationStatus != OperationStatus.Done)`
	`111`	`+ {`
	`112`	`+ throw new NodeIdInvalidFormatException(formattedId);`
	`113`	`+ }`
	`114`	`+`
`110`	`115`	`span = span.Slice(0, written);`
`111`	`116`
`112`	`117`	`var delimiterIndex = FindDelimiterIndex(span);`
`@@ -176,7 +181,12 @@ public unsafe NodeId Parse(string formattedId, Type runtimeType)`
`176`	`181`	`}`
`177`	`182`	`}`
`178`	`183`
`179`		`- Base64.DecodeFromUtf8InPlace(span, out var written);`
	`184`	`+ var operationStatus = Base64.DecodeFromUtf8InPlace(span, out var written);`
	`185`	`+ if (operationStatus != OperationStatus.Done)`
	`186`	`+ {`
	`187`	`+ throw new NodeIdInvalidFormatException(formattedId);`
	`188`	`+ }`
	`189`	`+`
`180`	`190`	`span = span.Slice(0, written);`
`181`	`191`
`182`	`192`	`var delimiterIndex = FindDelimiterIndex(span);`