GraphQL Introspection import fails with NullPointerException

Describe the bug GraphQL schema import fails with confusing error message when the introspection query is not successful.

Specifically, the zap-api-scan.py script failed with this error message:

2021-10-26 16:19:57,787 http://localhost:47065 "GET http://zap/JSON/core/view/urls/ HTTP/1.1" 200 170
2021-10-26 16:19:57,788 Import warnings: internal_error

And the server failed with this NPE stack trace:

2021-10-26 16:58:47,851 [ZAP-ProxyThread-8] ERROR API - Exception while handling API request:
java.lang.NullPointerException: null
        at graphql.introspection.IntrospectionResultToSchema.createSchemaDefinition(IntrospectionResultToSchema.java:68) ~[?:?]
        at org.zaproxy.addon.graphql.GraphQlParser.introspect(GraphQlParser.java:98) ~[?:?]
        at org.zaproxy.addon.graphql.GraphQlApi.importUrl(GraphQlApi.java:109) ~[?:?]
        at org.zaproxy.addon.graphql.GraphQlApi.handleApiAction(GraphQlApi.java:74) ~[?:?]
        at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:507) [zap-D-2021-08-17.jar:D-2021-08-17]
        at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-D-2021-08-17.jar:D-2021-08-17]
        at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-D-2021-08-17.jar:D-2021-08-17]
        at java.lang.Thread.run(Thread.java:829) [?:?]

I think I see the bug on this line: https://github.com/zaproxy/zap-extensions/blob/0dd3920424e68346e307f73b6cdd226eae9e943e/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlParser.java#L98

Looks like if the introspection JSON response has "data": null and attempts to parse the schema, then it throws an exception.

Let me know if I should open this issue elsewhere. The zap-extensions repo wasn’t clear about where issues are managed.

To Reproduce Steps to reproduce the behavior:

1. Scan a GraphQL endpoint that returns {"data": null} or even {"data": null, "errors": [...]} for a more realistic example.
2. Logs show the above import failure message
   • It incorrectly normalizes the endpoint and then continues a baseline scan

Expected behavior GraphQL endpoint fails with a clear log message in the scan script. (Not just a NPE inside the container’s file system log.)

Ideally, it would log the full failure message from the GraphQL endpoint. That way it’d be easier to debug and fix the server-side issue.

Software versions

• ZAP: docker run owasp/zap2docker-weekly:latest zap-api-scan.py ...
• Add-on: Name and version [e.g. Passive Scan Rules Alpha v19. https://www.zaproxy.org/faq/how-do-i-see-what-version-of-an-add-on-extension-i-have-installed/]
• OS: Linux kernel
• Java: The version present in the latest container image build owasp/zap2docker-weekly:latest
• Browser: N/A

Errors from the zap.log file See above log messages ^