Merge pull request #12 from dolevf/add-mercurius

Add mercurius
dolevf · Aug 22, 2022 · cd52128 · cd52128
2 parents f05a299 + d15da4b
commit cd52128
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ graphw00f currently attempts to discover the following GraphQL engines:
 * GraphQL Yoga - TypeScript
 * Lighthouse - PHP
 * Agoo - Ruby
+* Mercurius - JavaScripts
 
 # GraphQL Threat Matrix
 The graphw00f project uses the [GraphQL Threat Matrix Project](https://github.com/nicholasaleks/graphql-threat-matrix/) as its technology security matrix database. When graphw00f successfully fingerprints a GraphQL endpoint, it will print out the threat matrix document. This document helps security engineers to identify how mature the technology is, what security features it offers, and whether it contains any CVEs.

diff --git a/graphw00f/helpers.py b/graphw00f/helpers.py
@@ -225,6 +225,12 @@ def get_engines():
       'url':'https://github.com/ohler55/agoo',
       'ref':'https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md',
       'technology':['Ruby']
+    },
+    'mercurius':{
+      'name':'mercurius',
+      'url':'https://github.com/mercurius-js/mercurius',
+      'ref':'https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md',
+      'technology':['JavaScript', 'Node.js', 'TypeScript']
     }
   }
 

diff --git a/graphw00f/lib.py b/graphw00f/lib.py
@@ -43,6 +43,8 @@ def execute(self, url):
     self.url = url
     if self.engine_lighthouse():
       return 'lighthouse'
+    if self.engine_mercurius():
+      return 'mercurius'
     elif self.engine_graphql_yoga():
       return 'graphql_yoga'
     elif self.engine_agoo():
@@ -573,7 +575,7 @@ def engine_directus(self):
         return True
 
     return False
-  
+
   def engine_lighthouse(self):
     query = '''
       query {
@@ -588,12 +590,21 @@ def engine_lighthouse(self):
 
   def engine_agoo(self):
     query = '''
-      query { 
-        zzz 
+      query {
+        zzz
       }
     '''
     response = self.graph_query(self.url, payload=query)
     if error_contains(response, 'eval error', part='code'):
       return True
-
+
+    return False
+
+  def engine_mercurius(self):
+    query = ''
+    response = self.graph_query(self.url, payload=query)
+
+    if error_contains(response, 'Unknown query'):
+      return True
     return False
+
diff --git a/version.py b/version.py
@@ -1 +1 @@
-VERSION = '1.1.3'
+VERSION = '1.1.4'