From e1d314ce28cfb42eac0c7308c0e0856591919aca Mon Sep 17 00:00:00 2001 From: Jonathan Ehwald Date: Wed, 25 Jun 2025 17:17:26 +0200 Subject: [PATCH 1/2] fix(audits): outdated B6DC status code ranges Relevant section: 6.4.1 application/json https://graphql.github.io/graphql-over-http/draft/#sel-FANNLTCAACEBi8K https://graphql.github.io/graphql-over-http/draft/#sel-FANNLVCCBCIsB7xT --- src/audits/server.ts | 9 +++++++-- src/audits/utils.ts | 13 +++++++++++++ tests/__snapshots__/audits.test.ts.snap | 2 +- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/src/audits/server.ts b/src/audits/server.ts index d7b4f377..f38194d4 100644 --- a/src/audits/server.ts +++ b/src/audits/server.ts @@ -560,16 +560,21 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { ), audit( 'B6DC', - 'MAY use 4xx or 5xx status codes on JSON parsing failure', + 'MAY use 2xx, 4xx, or 5xx status codes on JSON parsing failure when accepting application/json', async () => { const res = await fetchFn(await getUrl(opts.url), { method: 'POST', headers: { 'content-type': 'application/json', + accept: 'application/json', }, body: '{ "not a JSON', }); - ressert(res).status.toBeBetween(400, 499); + ressert(res).status.toBeBetweenMultiple([ + [200, 299], + [400, 499], + [500, 599], + ]); }, ), audit( diff --git a/src/audits/utils.ts b/src/audits/utils.ts index ed6f70be..d5f47e3a 100644 --- a/src/audits/utils.ts +++ b/src/audits/utils.ts @@ -99,6 +99,19 @@ export function ressert(res: Response) { ); } }, + toBeBetweenMultiple: (ranges: Array<[number, number]>) => { + const isInRange = ranges.some( + ([min, max]) => min <= res.status && res.status <= max, + ); + if (!isInRange) { + throw new AuditError( + res, + `Response status is not between any of the provided ranges: ${ranges + .map(([min, max]) => `[${min}, ${max}]`) + .join(', ')}`, + ); + } + }, }, header(key: 'content-type') { return { diff --git a/tests/__snapshots__/audits.test.ts.snap b/tests/__snapshots__/audits.test.ts.snap index d8e9c5ed..98afe78f 100644 --- a/tests/__snapshots__/audits.test.ts.snap +++ b/tests/__snapshots__/audits.test.ts.snap @@ -188,7 +188,7 @@ exports[`should not change globally unique audit ids 1`] = ` }, { "id": "B6DC", - "name": "MAY use 4xx or 5xx status codes on JSON parsing failure", + "name": "MAY use 2xx, 4xx, or 5xx status codes on JSON parsing failure when accepting application/json", }, { "id": "BCF8", From 4e9b409d49d10d92aa1cd0bd37f232816b007a42 Mon Sep 17 00:00:00 2001 From: Jonathan Ehwald Date: Wed, 25 Jun 2025 17:22:15 +0200 Subject: [PATCH 2/2] fix(audits): outdated BCF8 description and headers Relevant section: 6.4.2.1.1 JSON parsing failure https://graphql.github.io/graphql-over-http/draft/#sec-application-graphql-response-json.Examples.JSON-parsing-failure --- src/audits/server.ts | 3 ++- tests/__snapshots__/audits.test.ts.snap | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/audits/server.ts b/src/audits/server.ts index f38194d4..1074d2e5 100644 --- a/src/audits/server.ts +++ b/src/audits/server.ts @@ -579,12 +579,13 @@ export function serverAudits(opts: ServerAuditOptions): Audit[] { ), audit( 'BCF8', - 'MAY use 400 status code on JSON parsing failure', + 'SHOULD use 400 status code on JSON parsing failure when accepting application/json', async () => { const res = await fetchFn(await getUrl(opts.url), { method: 'POST', headers: { 'content-type': 'application/json', + accept: 'application/json', }, body: '{ "not a JSON', }); diff --git a/tests/__snapshots__/audits.test.ts.snap b/tests/__snapshots__/audits.test.ts.snap index 98afe78f..551b7611 100644 --- a/tests/__snapshots__/audits.test.ts.snap +++ b/tests/__snapshots__/audits.test.ts.snap @@ -192,7 +192,7 @@ exports[`should not change globally unique audit ids 1`] = ` }, { "id": "BCF8", - "name": "MAY use 400 status code on JSON parsing failure", + "name": "SHOULD use 400 status code on JSON parsing failure when accepting application/json", }, { "id": "8764",