ci(fuzz tests): graphql fuzz testing

.gitguardian.yml

@@ -29,5 +29,7 @@ secret:
       name: setup/keycloak/speckle-realm.json - secret for dev keycloak
     - match: 2e1b3675a4049cd39fe6db081735f747730969071528270800f00fa98720d198
       name: setup/keycloak/speckle-realm.json - algorithm name
+    - match: 164797a0ebc32f504e2dbaf48bec77969456bc301829039b34dc6787a1f5b0f3
+      name: setup/fuzzer/token.txt - fuzz test token
 
 version: 2

.github/workflows/graphql-api-fuzzer.yml

@@ -0,0 +1,146 @@
+name: GraphQL API Fuzz Test
+
+on:
+  workflow_dispatch:
+  # schedule:
+  #   - cron: "15 4 3 * *" # Run at 4:15am on the 3rd of every month
+  pull_request:
+    paths:
+      - '.github/workflows/graphql-api-fuzzer.yml'
+      - 'setup/fuzzer-graphql/**/*'
+      - 'setup/fuzzer/docker-compose-speckle.yml'
+      - 'setup/fuzzer/speckle.backup.sql'
+
+env:
+  PYTHON_VERSION: '3.12'
+  GRAPHQLER_VERSION: '2.3.6'
+
+jobs:
+  graphql-fuzzer:
+    name: Fuzz test speckle-server Graphql API
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout speckle-server
+        with:
+          path: 'speckle-server'
+
+      - uses: actions/checkout@v4
+        name: Checkout Graphqler Fuzzer
+        with:
+          repository: omar2535/GraphQLer
+          ref: V${{ env.GRAPHQLER_VERSION }}
+          path: 'graphqler-fuzzer' # The path to clone the repository within the {{ github.workspace }} directory
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'poetry'
+          cache-dependency-path: ${{ github.workspace }}/graphqler-fuzzer/poetry.lock
+
+      - name: Install dependencies with Poetry
+        working-directory: ${{ github.workspace }}/graphqler-fuzzer
+        run: |
+          poetry install
+
+      - name: Deploy dependencies (docker compose)
+        run: |
+          docker compose --file ${{ github.workspace }}/speckle-server/docker-compose-deps.yml up --detach
+
+      - name: Seed the database
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes --no-install-recommends postgresql-client
+          PGPASSWORD=speckle psql -h 127.0.0.1 -U speckle -d speckle -p 5432 -w < ${{ github.workspace }}/speckle-server/setup/fuzzer/speckle.backup.sql
+
+      - name: Deploy speckle-server (docker compose)
+        working-directory: ${{ github.workspace }}
+        timeout-minutes: 1
+        run: |
+          docker compose --file ${{ github.workspace }}/speckle-server/setup/fuzzer/docker-compose-speckle.yml up --detach
+          until curl --output /dev/null --silent --head --fail http://127.0.0.1:3000/readiness; do
+            echo "Waiting a further 3 seconds for speckle-server to start..."
+            sleep 3
+          done
+
+      # - name: Restore cached Graphqler configuration
+      #   id: cache-config-restore
+      #   uses: actions/cache/restore@v4
+      #   with:
+      #     path: |
+      #       ${{ github.workspace }}/graphqlerConfig
+      #     key: graphqler-config-${{ github.sha }}
+
+      # - name: Generate Graphqler config from Graphql server
+      #   if: steps.cache-config-restore.outputs.cache-hit != 'true'
+      #   working-directory: ${{ github.workspace }}/graphqler-fuzzer
+      #   run: |
+      #     poetry run python ./graphqler --mode compile --url http://127.0.0.1:3000/graphql --path ${{ github.workspace }}/graphqlerOutput
+
+      # - name: Print the Graphqler configuration
+      #   run: |
+      #     ls -la ${{ github.workspace }} || true
+      #     ls -la ${{ github.workspace }}/graphqlerOutput || true
+      #     ls -la ${{ github.workspace }}/graphqlerOutput/compiled || true
+      # echo ""
+      # echo "############################################"
+      # echo "# Engine settings                          #"
+      # echo "# To customize, copy and save this file to #"
+      # echo "# setup/fuzzer/settings.graphqler.json       #"
+      # echo "############################################"
+      # echo ""
+      # cat ${{ github.workspace }}/graphqlerOutput/compiled/engine_settings.json
+      # - name: Save Graphqler Config
+      #   if: steps.cache-config-restore.outputs.cache-hit != 'true'
+      #   id: cache-config-save
+      #   uses: actions/cache/save@v4
+      #   with:
+      #     path: |
+      #       ${{ github.workspace }}/graphqlerOutput
+      #     key: ${{ steps.cache-config-restore.outputs.cache-primary-key }}
+
+      - name: Run Graphqler fuzz test
+        working-directory: ${{ github.workspace }}/graphqler-fuzzer
+        run: |
+          poetry run python ./graphqler --mode run --url http://127.0.0.1:3000/graphql --path ${{ github.workspace }}/graphqlerOutput --auth 'Bearer 103b2cf86168ec87fc6ec88978455667feb0f08d12' --config ${{ github.workspace }}/speckle-server/setup/fuzzer/config.graphqler.toml
+
+      - name: Print the results
+        if: always()
+        run: |
+          ls -la ${{ github.workspace }}/graphqlerOutput
+          ls -la ${{ github.workspace }}/graphqlerOutput/logs || true
+          echo ""
+          echo "############################################"
+          echo "#            Status.txt                 #"
+          echo "############################################"
+          echo ""
+          cat ${{ github.workspace }}/graphqlerOutput/stats.txt || true
+          echo ""
+          echo "############################################"
+          echo "#           ./logs/fuzzer.log              #"
+          echo "############################################"
+          echo ""
+          cat ${{ github.workspace }}/logs/fuzzer.log || true
+
+      - uses: actions/upload-artifact@v4
+        name: Store the Test output
+        if: always()
+        with:
+          name: fuzz-test-graphql-api-output
+          path: ${{ github.workspace }}/graphqlerOutput
+          if-no-files-found: error
+          retention-days: 5
+          overwrite: true
+
+      - name: Print Docker Compose logs
+        if: always()
+        run: |
+          docker compose --file ${{ github.workspace }}/speckle-server/docker-compose-deps.yml logs
+          docker compose --file ${{ github.workspace }}/speckle-server/setup/fuzzer/docker-compose-speckle.yml logs

packages/server/package.json

@@ -38,7 +38,8 @@
     "migrate": "yarn cli db migrate",
     "migrate:test": "cross-env NODE_ENV=test ts-node ./modules/cli/index.js db migrate",
     "gqlgen": "graphql-codegen --config codegen.yml",
-    "gqlgen:watch": "graphql-codegen --config codegen.yml --watch \"assets/**/*.graphql\""
+    "gqlgen:watch": "graphql-codegen --config codegen.yml --watch \"assets/**/*.graphql\"",
+    "start": "cross-env NODE_ENV=production LOG_PRETTY=true node ./bin/ts-www"
   },
   "dependencies": {
     "@apollo/client": "^3.7.0",

setup/fuzzer/config.graphqler.toml

@@ -0,0 +1,44 @@
+# Configuration
+
+# For debugging purposes
+DEBUG = false
+
+# For clairvoyance
+WORDLIST_PATH = "static/wordlist.txt"
+
+# For the resolver
+MAX_LEVENSHTEIN_THRESHOLD = 20  # A very high threshold, we could probably lower this, but this almost guarantees us to find a matching object name - ID
+
+# For the linker
+GRAPH_VISUALIZATION_OUTPUT = "dependency_graph.png"
+
+# For materializers
+MAX_OBJECT_CYCLES = 3
+MAX_OUTPUT_SELECTOR_DEPTH = 3
+HARD_CUTOFF_DEPTH = 20
+MAX_INPUT_DEPTH = 20
+
+# For using GraphQLer in different modes
+USE_OBJECTS_BUCKET = true  # This mode is for when we want to use the objects bucket
+USE_DEPENDENCY_GRAPH = true  # This mode is for when we want to use DFS through the dependency graph
+NO_DATA_COUNT_AS_SUCCESS = false  # This mode is for when we want to count no data in the data object as a success or failure
+
+# For fuzzing
+ALLOW_DELETION_OF_OBJECTS = false  # This mode is for when we want to allow the deletion of objects from the objects bucket when coming across a DELETE mutation success
+MAX_FUZZING_ITERATIONS = 5
+MAX_TIME = 180  # in seconds
+SKIP_MAXIMAL_PAYLOADS = false # This mode is for when we want to skip the maximal payloads
+SKIP_DOS_ATTACKS = true # This mode is for when we want to skip the DoS check
+SKIP_INJECTION_ATTACKS = false # This mode is for when we want to skip the injection check
+SKIP_MISC_ATTACKS = false # This mode is for when we want to skip the miscellaneous attacks
+
+# For each request
+REQUEST_TIMEOUT = 30  # in seconds
+TIME_BETWEEN_REQUESTS = 0.001  # in seconds
+
+# For custom skipping specific nodes"""
+SKIP_NODES = []
+
+# Put custom headers here
+[CUSTOM_HEADERS]
+Accept = "application/json"

setup/fuzzer/docker-compose-speckle.yml

@@ -0,0 +1,53 @@
+version: '2.4'
+services:
+  speckle-server:
+    platform: linux/amd64
+    image: speckle/speckle-server:latest
+    restart: always
+    ports:
+      - '0.0.0.0:3000:3000'
+    healthcheck:
+      test:
+        - CMD
+        - /nodejs/bin/node
+        - -e
+        - "try { require('node:http').request({headers: {'Content-Type': 'application/json'}, port:3000, hostname:'127.0.0.1', path:'/readiness', method: 'GET', timeout: 2000 }, (res) => { body = ''; res.on('data', (chunk) => {body += chunk;}); res.on('end', () => {process.exit(res.statusCode != 200 || body.toLowerCase().includes('error'));}); }).end(); } catch { process.exit(1); }"
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 90s
+    environment:
+      PORT: 3000
+
+      CANONICAL_URL: 'http://127.0.0.1:3000'
+      SESSION_SECRET: '-> FILL IN <-'
+
+      REDIS_URL: 'redis://redis:6379'
+
+      USE_FRONTEND_2: true
+      FRONTEND_ORIGIN: 'http://127.0.0.1:8081'
+
+      ENABLE_FE2_MESSAGING: false
+
+      POSTGRES_URL: 'postgres'
+      POSTGRES_USER: 'speckle'
+      POSTGRES_PASSWORD: 'speckle'
+      POSTGRES_DB: 'speckle'
+
+      S3_ENDPOINT: 'http://minio:9000'
+      S3_ACCESS_KEY: 'minioadmin'
+      S3_SECRET_KEY: 'minioadmin'
+      S3_BUCKET: 'speckle-server'
+      S3_CREATE_BUCKET: 'true'
+
+      EMAIL: false
+
+      DISABLE_NOTIFICATIONS_CONSUMPTION: true
+      STRATEGY_LOCAL: true
+      RATELIMITER_ENABLED: false
+    networks:
+      - speckle-server_default
+
+networks:
+  speckle-server_default:
+    external: true