fix CVE-2026-3118

[lholmquist]

Hey, I just made a Pull Request!

relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583

The orchestrator plugin uses this graphql client: @urql/core, which has a dependecy on this module, @0no-co/graphql.web, which was not correctly parsing the constructed graphql queries during execution when resolving to version 1.0.9. Updating to the latest @urql/core brings in an updated version of @0no-co/graphql.web which parses those queries correctly and will now throw an error when a query is malformed(happening during a malformed pagination example) and sanitize query filters

This PR also reworks the code that builds the query and the various filters. It now will take advantage of using query variables: https://graphql.org/learn/queries/#variables which should guard it from injection attacks

This will also need to be applied to both the 1.8 and 1.9 branches for orchestrator

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-qodo-merge]

Review Summary by Qodo

Update @urql/core to fix CVE-2026-3118 vulnerability

🐞 Bug fix

Walkthroughs

Description

• Update @urql/core dependency from 4.1.4 to 6.0.1
• Fixes CVE-2026-3118 vulnerability in GraphQL query parsing
• Resolves malformed pagination query handling issues
• Add changeset documenting the patch version update

Diagram

flowchart LR
  A["@urql/core v4.1.4"] -- "Update to v6.0.1" --> B["Fixed CVE-2026-3118"]
  B -- "Improved query parsing" --> C["@0no-co/graphql.web updated"]
  C -- "Sanitizes filters" --> D["Malformed queries detected"]

Loading

File Changes

1. workspaces/orchestrator/.changeset/five-meals-cover.md 📝 Documentation +5/-0

Add changeset for CVE-2026-3118 patch

• Created new changeset file documenting the patch update
• Specifies affected package: @red-hat-developer-hub/backstage-plugin-orchestrator-backend
• Documents CVE-2026-3118 fix for @urql/core dependency

workspaces/orchestrator/.changeset/five-meals-cover.md

---

2. workspaces/orchestrator/plugins/orchestrator-backend/package.json 🐞 Bug fix +1/-1

Upgrade @urql/core dependency to v6.0.1

• Upgraded @urql/core from ^4.1.4 to ^6.0.1
• Brings in updated @0no-co/graphql.web for proper query parsing
• Fixes vulnerability and improves malformed query error handling

workspaces/orchestrator/plugins/orchestrator-backend/package.json

---

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. GraphQL filter injection risk 🐞 Bug ⛨ Security

Description

Request-body filters values are inserted into GraphQL query strings without escaping, so
quotes/braces in filter values can break query parsing and allow query-shape injection against the
Data Index GraphQL endpoint. This becomes more user-visible with the @urql/core upgrade because
malformed queries will error instead of being tolerated downstream.

Code

workspaces/orchestrator/plugins/orchestrator-backend/package.json[79]

+    "@urql/core": "^6.0.1",

Evidence

The backend accepts req.body.filters and forwards it into query building. filterBuilder formats
values as "${fieldValue}" without escaping, and DataIndexService/queryBuilder send the
resulting string to client.query(...), so malicious or simply unescaped input (e.g., containing
") can create invalid GraphQL or alter the query structure.

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[1098-1100]
workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[147-155]
workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[251-277]
workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts[18-38]
workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[205-254]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`filters` coming from `req.body` are embedded into GraphQL query strings without escaping, which can break query parsing and enables query-shape injection.

### Issue Context
- `router.ts` returns request filters directly from the body.
- `filterBuilder.ts` wraps string values in quotes without escaping.
- Queries are executed by passing constructed strings into `@urql/core`.

### Fix Focus Areas
- Sanitize/escape GraphQL string literal values (at minimum via `JSON.stringify(String(value))`) before embedding them into query strings.
- Prefer GraphQL variables wherever possible (for values like `definitionId`, `instanceId`, and filter values).
- Validate filter objects from the request (shape + value types) and reject invalid characters if variables cannot be used.

#### Files/lines
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[1098-1100]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[101-155]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[251-277]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[132-153]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[404-454]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts[18-38]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Changeset typo 🐞 Bug ⚙ Maintainability

Description

The changeset text contains a spelling error (“dependecy”), which will be published in release
notes/changelog output. This is user-facing metadata and should be corrected before release
automation consumes it.

Code

workspaces/orchestrator/.changeset/five-meals-cover.md[5]

+Update dependecy @urql/core to fix CVE-2026-3118

Evidence

The new changeset file’s summary line includes the misspelling verbatim.

workspaces/orchestrator/.changeset/five-meals-cover.md[1-5]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Changeset summary contains a typo.

### Fix Focus Areas
- Replace `dependecy` with `dependency`.

#### Files/lines
- workspaces/orchestrator/.changeset/five-meals-cover.md[1-5]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-orchestrator-backend	workspaces/orchestrator/plugins/orchestrator-backend	patch	v8.7.2

[rhdh-qodo-merge]

1. Graphql filter injection risk 🐞 Bug ⛨ Security

Request-body filters values are inserted into GraphQL query strings without escaping, so
quotes/braces in filter values can break query parsing and allow query-shape injection against the
Data Index GraphQL endpoint. This becomes more user-visible with the @urql/core upgrade because
malformed queries will error instead of being tolerated downstream.

Agent Prompt

### Issue description
`filters` coming from `req.body` are embedded into GraphQL query strings without escaping, which can break query parsing and enables query-shape injection.

### Issue Context
- `router.ts` returns request filters directly from the body.
- `filterBuilder.ts` wraps string values in quotes without escaping.
- Queries are executed by passing constructed strings into `@urql/core`.

### Fix Focus Areas
- Sanitize/escape GraphQL string literal values (at minimum via `JSON.stringify(String(value))`) before embedding them into query strings.
- Prefer GraphQL variables wherever possible (for values like `definitionId`, `instanceId`, and filter values).
- Validate filter objects from the request (shape + value types) and reject invalid characters if variables cannot be used.

#### Files/lines
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[1098-1100]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[101-155]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[251-277]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[132-153]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[404-454]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts[18-38]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[PatAKnight]

Last one and then this should be good to go!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[PatAKnight]

/lgtm

[lholmquist]

/cherrypick orchestrator-1.8

[openshift-cherrypick-robot]

@lholmquist: #2597 failed to apply on top of branch "orchestrator-1.8":

Applying: fix: Update grapql client to fix CVE-2026-3118.
Using index info to reconstruct a base tree...
M	workspaces/orchestrator/plugins/orchestrator-backend/package.json
M	workspaces/orchestrator/yarn.lock
Falling back to patching base and 3-way merge...
Auto-merging workspaces/orchestrator/yarn.lock
CONFLICT (content): Merge conflict in workspaces/orchestrator/yarn.lock
Auto-merging workspaces/orchestrator/plugins/orchestrator-backend/package.json
CONFLICT (content): Merge conflict in workspaces/orchestrator/plugins/orchestrator-backend/package.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 fix: Update grapql client to fix CVE-2026-3118.

Details

In response to this:

/cherrypick orchestrator-1.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lholmquist]

/cherrypick orchestrator-1.9

[openshift-cherrypick-robot]

@lholmquist: #2597 failed to apply on top of branch "orchestrator-1.9":

Applying: fix: Update grapql client to fix CVE-2026-3118.
Using index info to reconstruct a base tree...
M	workspaces/orchestrator/plugins/orchestrator-backend/package.json
M	workspaces/orchestrator/yarn.lock
Falling back to patching base and 3-way merge...
Auto-merging workspaces/orchestrator/yarn.lock
CONFLICT (content): Merge conflict in workspaces/orchestrator/yarn.lock
Auto-merging workspaces/orchestrator/plugins/orchestrator-backend/package.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 fix: Update grapql client to fix CVE-2026-3118.

Details

In response to this:

/cherrypick orchestrator-1.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.