From d18cf1ac37cff02b2cd299af09d8ed0e0c376a46 Mon Sep 17 00:00:00 2001
From: Valentin Tolmer <valentin@tolmer.fr>
Date: Mon, 10 Apr 2023 18:32:31 +0200
Subject: [PATCH] server: decode graphql parameter

---
 Cargo.lock                        | 19 +++++++++----------
 server/Cargo.toml                 |  5 +++--
 server/src/infra/graphql/query.rs |  2 ++
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index fc9fcc0..d7ff474 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2404,7 +2404,8 @@ dependencies = [
  "tracing-forest",
  "tracing-log",
  "tracing-subscriber",
- "uuid 0.8.2",
+ "urlencoding",
+ "uuid 1.3.0",
  "webpki-roots",
 ]
 
@@ -2530,12 +2531,6 @@ dependencies = [
  "digest 0.10.6",
 ]
 
-[[package]]
-name = "md5"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771"
-
 [[package]]
 name = "memchr"
 version = "2.5.0"
@@ -4399,14 +4394,17 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "urlencoding"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8db7427f936968176eaa7cdf81b7f98b980b18495ec28f1b5791ac3bfe3eea9"
+
 [[package]]
 name = "uuid"
 version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
-dependencies = [
- "md5",
-]
 
 [[package]]
 name = "uuid"
@@ -4415,6 +4413,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1674845326ee10d37ca60470760d4288a6f80f304007d92e5c53bab78c9cfd79"
 dependencies = [
  "getrandom 0.2.8",
+ "md-5",
 ]
 
 [[package]]
diff --git a/server/Cargo.toml b/server/Cargo.toml
index e79c451..c069131 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -32,7 +32,9 @@ ldap3_proto = ">=0.3.1"
 log = "*"
 orion = "0.17"
 rustls = "0.20"
+rustls-pemfile = "1"
 serde = "*"
+serde_bytes = "0.11"
 serde_json = "1"
 sha2 = "0.10"
 thiserror = "*"
@@ -44,8 +46,7 @@ tracing = "*"
 tracing-actix-web = "0.7"
 tracing-attributes = "^0.1.21"
 tracing-log = "*"
-rustls-pemfile = "1"
-serde_bytes = "0.11"
+urlencoding = "2"
 webpki-roots = "*"
 
 [dependencies.chrono]
diff --git a/server/src/infra/graphql/query.rs b/server/src/infra/graphql/query.rs
index 6422844..1eb2f5e 100644
--- a/server/src/infra/graphql/query.rs
+++ b/server/src/infra/graphql/query.rs
@@ -124,10 +124,12 @@ impl<Handler: BackendHandler> Query<Handler> {
     }
 
     pub async fn user(context: &Context<Handler>, user_id: String) -> FieldResult<User<Handler>> {
+        use anyhow::Context;
         let span = debug_span!("[GraphQL query] user");
         span.in_scope(|| {
             debug!(?user_id);
         });
+        let user_id = urlencoding::decode(&user_id).context("Invalid user parameter")?;
         let user_id = UserId::new(&user_id);
         let handler = context
             .get_readable_handler(&user_id)