Added graphql parsing library

.gitmodules

@@ -2,3 +2,6 @@
  path = lib/GQLSpection
  url = ../GQLSpection.git
  branch = dev
+[submodule "lib/graphql-py"]
+ path = lib/graphql-py
+ url = https://github.com/ivelum/graphql-py

build.gradle

@@ -31,7 +31,7 @@ sourceSets {
  srcDir 'kotlin'
  }
  resources {
- srcDirs = ['python', 'lib/GQLSpection/src']
+ srcDirs = ['python', 'lib/GQLSpection/src', 'lib/graphql-py/graphql']
  }
  }
 }

python/inql/attacker/request.py

@@ -5,6 +5,8 @@
 from threading import Thread
 from urlparse import urlparse
 
+from graphql.parser import GraphQLParser
+
 from burp import IMessageEditorController
 
 from java.awt import BorderLayout
@@ -44,10 +46,13 @@ def generate_attack_request(self):
  parsed = parsed[0]
  query = parsed['query']
 
+ ast = parser.parse(query)
+ print('ast: ', ast)
+
  actionMatch = re.search('([^{]*?){(.+)}([^}]*?)', query, re.DOTALL)
  action, query, tmp = actionMatch.groups()
  query = self.stripComments(query)
- query = re.sub(r'\n|\r|\t', '', query)
+ query = "{" + re.sub(r'\n|\r|\t', '', query) + "}"
  prefix, suffix, exploit = "", "", ""
  while True:
  # FIXME: whitespace inbetween will break the regex!
@@ -57,6 +62,8 @@ def generate_attack_request(self):
  if not match:
  break
  pfx, query, sfx = match.groups()
+ print('match pfx ', pfx)
+ print('match query ', query)
 
  # look for a placeholder
  match = (
@@ -74,6 +81,7 @@ def generate_attack_request(self):
  lead, verb, args, rest = match.groups()
  args = args.split(':')
  log.debug("lead: %s, verb: %s, args: %s, rest: %s" % (lead, verb, args, rest))
+ print("lead: %s, verb: %s, args: %s, rest: %s" % (lead, verb, args, rest))
 
  exploit = ""
  if verb == 'INT':