From 4bf2616b8a4e4b731370ada5d33db1e47f395755 Mon Sep 17 00:00:00 2001
From: kerry <kerry@oscer.ai>
Date: Tue, 28 Mar 2023 23:49:34 +1100
Subject: [PATCH 1/3] feat: removeDuplicateTags() validates tags and panic with
 meaningful error message

---
 plugin/modelgen/models.go      |  5 +++++
 plugin/modelgen/models_test.go | 23 ++++++++++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/plugin/modelgen/models.go b/plugin/modelgen/models.go
index 855ed1001fa..529cbd9fcb2 100644
--- a/plugin/modelgen/models.go
+++ b/plugin/modelgen/models.go
@@ -434,6 +434,11 @@ func removeDuplicateTags(t string) string {
 	// iterate backwards through tags so appended goTag directives are prioritized
 	for i := len(tt) - 1; i >= 0; i-- {
 		ti := tt[i]
+		// check if ti contains ":", and not contains any empty space. if not, tag is in wrong format
+		if !strings.Contains(ti, ":") || strings.Contains(ti, " ") {
+			panic(fmt.Errorf("wrong format of tags: %s. goTag directive should be in format: @goTag(key: \"something\", value:\"value1,value2,etc\"), no empty space is allowed", t))
+		}
+
 		kv := strings.Split(ti, ":")
 		if len(kv) == 0 || processed[kv[0]] {
 			continue
diff --git a/plugin/modelgen/models_test.go b/plugin/modelgen/models_test.go
index f4f3f35834e..d5427531acd 100644
--- a/plugin/modelgen/models_test.go
+++ b/plugin/modelgen/models_test.go
@@ -356,9 +356,10 @@ func TestRemoveDuplicate(t *testing.T) {
 		t string
 	}
 	tests := []struct {
-		name string
-		args args
-		want string
+		name      string
+		args      args
+		want      string
+		wantPanic bool
 	}{
 		{
 			name: "Duplicate Test with 1",
@@ -395,11 +396,23 @@ func TestRemoveDuplicate(t *testing.T) {
 			},
 			want: "something:\"name2\" json:\"name3\"",
 		},
+		{
+			name: "Test value with empty space",
+			args: args{
+				t: "json:\"name, name2\"",
+			},
+			want:      "json:\"name, name2\"",
+			wantPanic: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := removeDuplicateTags(tt.args.t); got != tt.want {
-				t.Errorf("removeDuplicate() = %v, want %v", got, tt.want)
+			if tt.wantPanic {
+				assert.Panics(t, func() { removeDuplicateTags(tt.args.t) }, "The code did not panic")
+			} else {
+				if got := removeDuplicateTags(tt.args.t); got != tt.want {
+					t.Errorf("removeDuplicate() = %v, want %v", got, tt.want)
+				}
 			}
 		})
 	}

From 6731ba847824e017900e56a4726cd379bbedb107 Mon Sep 17 00:00:00 2001
From: Steve Coffman <StevenACoffman@users.noreply.github.com>
Date: Thu, 22 Jun 2023 14:37:13 -0400
Subject: [PATCH 2/3] Instead of pinning on _latest without subresource
 integrity check, update both url and integrity to latest

---
 graphql/playground/apollo_sandbox_playground.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/graphql/playground/apollo_sandbox_playground.go b/graphql/playground/apollo_sandbox_playground.go
index 9f020d8389d..624360724bc 100644
--- a/graphql/playground/apollo_sandbox_playground.go
+++ b/graphql/playground/apollo_sandbox_playground.go
@@ -24,7 +24,7 @@ var apolloSandboxPage = template.Must(template.New("ApolloSandbox").Parse(`<!doc
 <body>
   <div style="width: 100vw; height: 100vh;" id='embedded-sandbox'></div>
   <!-- NOTE: New version available at https://embeddable-sandbox.cdn.apollographql.com/ -->
-  <script rel="preload" as="script" crossorigin="anonymous" type="text/javascript" src="https://embeddable-sandbox.cdn.apollographql.com/_latest/embeddable-sandbox.umd.production.min.js"></script>
+  <script rel="preload" as="script" crossorigin="anonymous" integrity="{{.mainSRI}}" type="text/javascript" src="https://embeddable-sandbox.cdn.apollographql.com/7212121cad97028b007e974956dc951ce89d683c/embeddable-sandbox.umd.production.min.js"></script>
   <script>
 {{- if .endpointIsAbsolute}}
 	const url = {{.endpoint}};
@@ -53,6 +53,7 @@ func ApolloSandboxHandler(title, endpoint string) http.HandlerFunc {
 			"title":              title,
 			"endpoint":           endpoint,
 			"endpointIsAbsolute": endpointHasScheme(endpoint),
+			"mainSRI": "sha256-/ldbSJ7EovavF815TfCN50qKB9AMvzskb9xiG71bmg2I=",
 		})
 		if err != nil {
 			panic(err)

From d955b63750e61f78ca105f6204c47fbd13fffd8e Mon Sep 17 00:00:00 2001
From: Steve Coffman <StevenACoffman@users.noreply.github.com>
Date: Thu, 22 Jun 2023 14:39:45 -0400
Subject: [PATCH 3/3] Update graphql/playground/apollo_sandbox_playground.go

---
 graphql/playground/apollo_sandbox_playground.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/graphql/playground/apollo_sandbox_playground.go b/graphql/playground/apollo_sandbox_playground.go
index 624360724bc..be466adc0b2 100644
--- a/graphql/playground/apollo_sandbox_playground.go
+++ b/graphql/playground/apollo_sandbox_playground.go
@@ -53,7 +53,7 @@ func ApolloSandboxHandler(title, endpoint string) http.HandlerFunc {
 			"title":              title,
 			"endpoint":           endpoint,
 			"endpointIsAbsolute": endpointHasScheme(endpoint),
-			"mainSRI": "sha256-/ldbSJ7EovavF815TfCN50qKB9AMvzskb9xiG71bmg2I=",
+			"mainSRI":            "sha256-/ldbSJ7EovavF815TfCN50qKB9AMvzskb9xiG71bmg2I=",
 		})
 		if err != nil {
 			panic(err)