Enhance request body check

Backport of 1406ca2 Closes gh-735

Author: rstoyanchev

spring-graphql/src/main/java/org/springframework/graphql/server/WebGraphQlRequest.java

@@ -58,8 +58,7 @@ public class WebGraphQlRequest extends DefaultExecutionGraphQlRequest implements
 public WebGraphQlRequest(
 URI uri, HttpHeaders headers, Map<String, Object> body, String id, @Nullable Locale locale) {
 
-super(getKey("query", body), getKey("operationName", body), getKey("variables", body),
-getKey("extensions", body), id, locale);
+super(getQuery(body), getOperation(body), getMap("variables", body), getMap("extensions", body), id, locale);
 
 Assert.notNull(uri, "URI is required'");
 Assert.notNull(headers, "HttpHeaders is required'");
@@ -68,12 +67,31 @@ public WebGraphQlRequest(
 this.headers = headers;
 }
 
+private static String getQuery(Map<String, Object> body) {
+Object value = body.get("query");
+if (!(value instanceof String query) || !StringUtils.hasText(query)) {
+throw new ServerWebInputException("Invalid value for 'query'");
+}
+return (String) value;
+}
+
+@Nullable
+private static String getOperation(Map<String, Object> body) {
+Object value = body.get("operation");
+if (value != null && !(value instanceof String)) {
+throw new ServerWebInputException("Invalid value for 'operation'");
+}
+return (String) value;
+}
+
 @SuppressWarnings("unchecked")
-private static <T> T getKey(String key, Map<String, Object> body) {
-if (key.equals("query") && !StringUtils.hasText((String) body.get(key))) {
-throw new ServerWebInputException("No \"query\" in the request document");
+@Nullable
+private static Map<String, Object> getMap(String key, Map<String, Object> body) {
+Object value = body.get(key);
+if (value != null && !(value instanceof Map)) {
+throw new ServerWebInputException("Invalid value for '" + key + "'");
 }
-return (T) body.get(key);
+return (Map<String, Object>) value;
 }
 
 

spring-graphql/src/test/java/org/springframework/graphql/server/WebGraphQlRequestTests.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.graphql.server;
+
+import java.net.URI;
+import java.util.Collections;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.web.server.ServerWebInputException;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+/**
+ * Unit tests for {@link WebGraphQlRequest}.
+ *
+ * @author Rossen Stoyanchev
+ */
+public class WebGraphQlRequestTests {
+
+@Test // gh-726
+void invalidBody() {
+testInvalidBody(Map.of());
+testInvalidBody(Map.of("query", Collections.emptyMap()));
+testInvalidBody(Map.of("query", "query { foo }", "operation", Collections.emptyMap()));
+testInvalidBody(Map.of("query", "query { foo }", "variables", "not-a-map"));
+testInvalidBody(Map.of("query", "query { foo }", "extensions", "not-a-map"));
+}
+
+private void testInvalidBody(Map<String, Object> body) {
+assertThatThrownBy(() ->
+new WebGraphQlRequest(
+URI.create("/graphql"), new HttpHeaders(), new LinkedMultiValueMap<>(),
+Collections.emptyMap(), body, "1", null))
+.isInstanceOf(ServerWebInputException.class);
+}
+
+
+}