Merge commit from fork

[1.12] fix CVE 2025 27407

Author: rmosolgo

cop/development/no_eval_cop.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+require 'rubocop'
+
+module Cop
+  module Development
+    class NoEvalCop < RuboCop::Cop::Base
+      MSG_TEMPLATE = "Don't use `%{eval_method_name}` which accepts strings and may result evaluating unexpected code. Use `%{exec_method_name}` instead, and pass a block."
+
+      def on_send(node)
+        case node.method_name
+        when :module_eval, :class_eval, :instance_eval
+          message = MSG_TEMPLATE % { eval_method_name: node.method_name, exec_method_name: node.method_name.to_s.sub("eval", "exec").to_sym }
+          add_offense node, message: message
+        end
+      end
+    end
+  end
+end

lib/graphql/language/nodes.rb

@@ -133,6 +133,8 @@ def merge!(new_options)
         end
 
         class << self
+          # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
           # Add a default `#visit_method` and `#children_method_name` using the class name
           def inherited(child_class)
             super
@@ -276,6 +278,7 @@ def initialize_node #{arguments.join(", ")}
               RUBY
             end
           end
+          # rubocop:enable Development/NoEvalCop
         end
       end
 

lib/graphql/schema/argument.rb

@@ -55,6 +55,7 @@ def from_resolver?
       def initialize(arg_name = nil, type_expr = nil, desc = nil, required:, type: nil, name: nil, loads: nil, description: nil, ast_node: nil, default_value: NO_DEFAULT, as: nil, from_resolver: false, camelize: true, prepare: nil, method_access: true, owner:, validates: nil, directives: nil, deprecation_reason: nil, &definition_block)
         arg_name ||= name
         @name = -(camelize ? Member::BuildType.camelize(arg_name.to_s) : arg_name.to_s)
+        NameValidator.validate!(@name)
         @type_expr = type_expr || type
         @description = desc || description
         @null = !required
@@ -78,11 +79,8 @@ def initialize(arg_name = nil, type_expr = nil, desc = nil, required:, type: nil
         self.validates(validates)
 
         if definition_block
-          if definition_block.arity == 1
-            instance_exec(self, &definition_block)
-          else
-            instance_eval(&definition_block)
-          end
+          # `self` will still be self, it will also be the first argument to the block:
+          instance_exec(self, &definition_block)
         end
       end
 

lib/graphql/schema/build_from_definition.rb

@@ -426,17 +426,18 @@ def build_fields(owner, field_definitions, type_resolver, default_resolve:)
 
             # Don't do this for interfaces
             if default_resolve
-              owner.class_eval <<-RUBY, __FILE__, __LINE__
-                # frozen_string_literal: true
-                def #{resolve_method_name}(**args)
-                  field_instance = self.class.get_field("#{field_definition.name}")
-                  context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
-                end
-              RUBY
+              define_field_resolve_method(owner, resolve_method_name, field_definition.name)
             end
           end
         end
 
+        def define_field_resolve_method(owner, method_name, field_name)
+          owner.define_method(method_name) { |**args|
+            field_instance = self.class.get_field(field_name)
+            context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
+          }
+        end
+
         def build_resolve_type(lookup_hash, directives, missing_type_handler)
           resolve_type_proc = nil
           resolve_type_proc = ->(ast_node) {

lib/graphql/schema/enum_value.rb

@@ -55,7 +55,7 @@ def initialize(graphql_name, desc = nil, owner:, ast_node: nil, directives: nil,
         end
 
         if block_given?
-          instance_eval(&block)
+          instance_exec(self, &block)
         end
       end
 

lib/graphql/schema/field.rb

@@ -231,6 +231,7 @@ def initialize(type: nil, name: nil, owner: nil, null: nil, field: nil, function
         name_s = -name.to_s
         @underscored_name = -Member::BuildType.underscore(name_s)
         @name = -(camelize ? Member::BuildType.camelize(name_s) : name_s)
+        NameValidator.validate!(@name)
         @description = description
         if field.is_a?(GraphQL::Schema::Field)
           raise ArgumentError, "Instead of passing a field as `field:`, use `add_field(field)` to add an already-defined field."

lib/graphql/schema/input_object.rb

@@ -123,12 +123,8 @@ class << self
         def argument(*args, **kwargs, &block)
           argument_defn = super(*args, **kwargs, &block)
           # Add a method access
-          method_name = argument_defn.keyword
-          class_eval <<-RUBY, __FILE__, __LINE__
-            def #{method_name}
-              self[#{method_name.inspect}]
-            end
-          RUBY
+          define_accessor_method(argument_defn.keyword)
+          argument_defn
         end
 
         def to_graphql
@@ -236,6 +232,13 @@ def coerce_result(value, ctx)
 
           result
         end
+
+        private
+
+        def define_accessor_method(method_name)
+          define_method(method_name) { self[method_name] }
+          alias_method(method_name, method_name)
+        end
       end
 
       private

lib/graphql/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module GraphQL
-  VERSION = "1.12.24"
+  VERSION = "1.12.25"
 end

spec/graphql/schema/loader_spec.rb

@@ -389,4 +389,153 @@ def assert_deep_equal(expected_type, actual_type)
       assert_equal arg.default_value, { 'id' => nil, 'int' => nil, 'float' => nil, 'enum' => nil, 'sub' => nil, 'bool' => nil, 'bigint' => nil }
     end
   end
+
+  it "validates field argument names" do
+    json = {
+      "data" => {
+        "__schema" => {
+          "queryType" => {
+            "name" => "Query"
+          },
+          "mutationType" => nil,
+          "subscriptionType" => nil,
+          "types" => [
+            {
+              "kind" => "OBJECT",
+              "name" => "Query",
+              "description" => nil,
+              "fields" => [
+                {
+                  "name" => "int",
+                  "description" => nil,
+                  "type" => {
+                    "kind" => "SCALAR",
+                    "name" => "Int",
+                    "ofType" => nil,
+                  },
+                  "args" => [
+                    {
+                      "name" => "something-wrong",
+                      "description" => nil,
+                      "type" => {
+                        "kind" => "SCALAR",
+                        "name" => "Int",
+                        "ofType" => nil
+                      },
+                      "defaultValue" => nil
+                    }
+                  ],
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+    err = assert_raises GraphQL::InvalidNameError do
+      GraphQL::Schema.from_introspection(json)
+    end
+
+    assert_includes err.message, "something-wrong"
+  end
+
+  it "validates field names" do
+    json = {
+      "data" => {
+        "__schema" => {
+          "queryType" => {
+            "name" => "Query"
+          },
+          "mutationType" => nil,
+          "subscriptionType" => nil,
+          "types" => [
+            {
+              "kind" => "OBJECT",
+              "name" => "Query",
+              "description" => nil,
+              "fields" => [
+                {
+                  "name" => "bad.int",
+                  "description" => nil,
+                  "type" => {
+                    "kind" => "SCALAR",
+                    "name" => "Int",
+                    "ofType" => nil,
+                  },
+                  "args" => [],
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+    err = assert_raises GraphQL::InvalidNameError do
+      GraphQL::Schema.from_introspection(json)
+    end
+
+    assert_includes err.message, "bad.int"
+  end
+
+  it "validates input object argument names" do
+    json = {
+      "data" => {
+        "__schema" => {
+          "queryType" => {
+            "name" => "Query"
+          },
+          "mutationType" => nil,
+          "subscriptionType" => nil,
+          "types" => [
+            {
+              "kind" => "OBJECT",
+              "name" => "Query",
+              "description" => nil,
+              "fields" => [
+                {
+                  "name" => "int",
+                  "description" => nil,
+                  "type" => {
+                    "kind" => "SCALAR",
+                    "name" => "Int",
+                    "ofType" => nil,
+                  },
+                  "args" => [
+                    {
+                      "name" => "inputObject",
+                      "description" => nil,
+                      "type" => {
+                        "kind" => "INPUT_OBJECT",
+                        "name" => "SomeInputObject",
+                        "ofType" => nil
+                      },
+                      "defaultValue" => nil
+                    }
+                  ],
+                }
+              ]
+            },
+            {
+              "kind" => "INPUT_OBJECT",
+              "name" => "SomeInputObject",
+              "description" => nil,
+              "inputFields" => [
+                {
+                  "name"=>"bad, input",
+                  "type"=> { "kind" => "SCALAR", "name" => "String"},
+                  "defaultValue"=> nil,
+                  "description" => nil,
+                },
+              ]
+            }
+          ]
+        }
+      }
+    }
+    err = assert_raises GraphQL::InvalidNameError do
+      GraphQL::Schema.from_introspection(json)
+    end
+
+    assert_includes err.message, "bad, input"
+  end
 end