Description
To avoid prompt injection, when using this repo in headless contexts especially, we want to expose a mechanism where we can filter returned data to avoid any issue, pr, comment or discussion that was not provided by a user with push access to the provided repository.
For now it can be an optional a single owner/repo that is provided as a flag on startup to the cobra command to start the stdio server. This might be expensive, so it should not be applied in general. If it is possible to set the list, and add it to context, that could be a better way, and then tools can consume the list from ctx of allowed_user_handles and if it is set we should filter out all provided users. There should be a boolean in the context to explicitly allow this, so an empty/nil list will be applied as not allowing any, in case of error - to avoid accidently turning off the protection.
I have attached the graphql schema, and you already have examples of go graphql calls in the repo. Use them as an example.
An example of where we would apply this is if somebody were to call it from a coding agent, so that we could mitigate attempted prompt injection from public users, on public repositories.
This feature should auto-disable itself, when the repo provided is private - as then access is already limited by the owner, and any self-attempt at prompt injection is therefore not something that we should need to explicitly guard against.
I have attached the schema for GraphQL
Below is the readme of the graphql go library:
graphql
=======
[](https://pkg.go.dev/github.com/shurcooL/graphql)
Package `graphql` provides a GraphQL client implementation.
For more information, see package [`github.com/shurcooL/githubv4`](https://github.com/shurcooL/githubv4), which is a specialized version targeting GitHub GraphQL API v4. That package is driving the feature development.
Installation
------------
```sh
go get github.com/shurcooL/graphql
Usage
Construct a GraphQL client, specifying the GraphQL server URL. Then, you can use it to make GraphQL queries and mutations.
client := graphql.NewClient("https://example.com/graphql", nil)
// Use client...Authentication
Some GraphQL servers may require authentication. The graphql package does not directly handle authentication. Instead, when creating a new client, you're expected to pass an http.Client that performs authentication. The easiest and recommended way to do this is to use the golang.org/x/oauth2 package. You'll need an OAuth token with the right scopes. Then:
import "golang.org/x/oauth2"
func main() {
src := oauth2.StaticTokenSource(
&oauth2.Token{AccessToken: os.Getenv("GRAPHQL_TOKEN")},
)
httpClient := oauth2.NewClient(context.Background(), src)
client := graphql.NewClient("https://example.com/graphql", httpClient)
// Use client...Simple Query
To make a GraphQL query, you need to define a corresponding Go type.
For example, to make the following GraphQL query:
query {
me {
name
}
}You can define this variable:
var query struct {
Me struct {
Name graphql.String
}
}Then call client.Query, passing a pointer to it:
err := client.Query(context.Background(), &query, nil)
if err != nil {
// Handle error.
}
fmt.Println(query.Me.Name)
// Output: Luke SkywalkerArguments and Variables
Often, you'll want to specify arguments on some fields. You can use the graphql struct field tag for this.
For example, to make the following GraphQL query:
{
human(id: "1000") {
name
height(unit: METER)
}
}You can define this variable:
var q struct {
Human struct {
Name graphql.String
Height graphql.Float `graphql:"height(unit: METER)"`
} `graphql:"human(id: \"1000\")"`
}Then call client.Query:
err := client.Query(context.Background(), &q, nil)
if err != nil {
// Handle error.
}
fmt.Println(q.Human.Name)
fmt.Println(q.Human.Height)
// Output:
// Luke Skywalker
// 1.72However, that'll only work if the arguments are constant and known in advance. Otherwise, you will need to make use of variables. Replace the constants in the struct field tag with variable names:
var q struct {
Human struct {
Name graphql.String
Height graphql.Float `graphql:"height(unit: $unit)"`
} `graphql:"human(id: $id)"`
}Then, define a variables map with their values:
variables := map[string]any{
"id": graphql.ID(id),
"unit": starwars.LengthUnit("METER"),
}Finally, call client.Query providing variables:
err := client.Query(context.Background(), &q, variables)
if err != nil {
// Handle error.
}Inline Fragments
Some GraphQL queries contain inline fragments. You can use the graphql struct field tag to express them.
For example, to make the following GraphQL query:
{
hero(episode: "JEDI") {
name
... on Droid {
primaryFunction
}
... on Human {
height
}
}
}You can define this variable:
var q struct {
Hero struct {
Name graphql.String
Droid struct {
PrimaryFunction graphql.String
} `graphql:"... on Droid"`
Human struct {
Height graphql.Float
} `graphql:"... on Human"`
} `graphql:"hero(episode: \"JEDI\")"`
}Alternatively, you can define the struct types corresponding to inline fragments, and use them as embedded fields in your query:
type (
DroidFragment struct {
PrimaryFunction graphql.String
}
HumanFragment struct {
Height graphql.Float
}
)
var q struct {
Hero struct {
Name graphql.String
DroidFragment `graphql:"... on Droid"`
HumanFragment `graphql:"... on Human"`
} `graphql:"hero(episode: \"JEDI\")"`
}Then call client.Query:
err := client.Query(context.Background(), &q, nil)
if err != nil {
// Handle error.
}
fmt.Println(q.Hero.Name)
fmt.Println(q.Hero.PrimaryFunction)
fmt.Println(q.Hero.Height)
// Output:
// R2-D2
// Astromech
// 0Mutations
Mutations often require information that you can only find out by performing a query first. Let's suppose you've already done that.
For example, to make the following GraphQL mutation:
mutation($ep: Episode!, $review: ReviewInput!) {
createReview(episode: $ep, review: $review) {
stars
commentary
}
}
variables {
"ep": "JEDI",
"review": {
"stars": 5,
"commentary": "This is a great movie!"
}
}You can define:
var m struct {
CreateReview struct {
Stars graphql.Int
Commentary graphql.String
} `graphql:"createReview(episode: $ep, review: $review)"`
}
variables := map[string]any{
"ep": starwars.Episode("JEDI"),
"review": starwars.ReviewInput{
Stars: graphql.Int(5),
Commentary: graphql.String("This is a great movie!"),
},
}Then call client.Mutate:
err := client.Mutate(context.Background(), &m, variables)
if err != nil {
// Handle error.
}
fmt.Printf("Created a %v star review: %v\n", m.CreateReview.Stars, m.CreateReview.Commentary)
// Output:
// Created a 5 star review: This is a great movie!Directories
| Path | Synopsis |
|---|---|
| ident | Package ident provides functions for parsing and converting identifier names between various naming convention. |
| internal/jsonutil | Package jsonutil provides a function for decoding JSON into a GraphQL query data structure. |
License
Use the unit tests provided via `go test ./... -v` to run all the test suite, and standard go tools like `gofmt` and the normal linting and `go mod tidy` etc. should be used if needed. Do not write end2end tests in this case. They will not help, and they required a real github token to run.