graphql 2.2.14 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f35b5aadaa5d2666f3f41f3347a0dec2a3799e747e0f70c4075ab9dd21e6c965
-  data.tar.gz: b5f5b6ed45a287fdb8a7e29b0e45b13fc3093c9040a85a5c139db3c9df1ca41e
+  metadata.gz: 566d6d5c49b331b3f38e2f4d338c635bae02a86b14a004ff55f1eccccb973181
+  data.tar.gz: 0a8a048f8644e933252ca30459386e2049ac8c3093731709d344bf898f884731
 SHA512:
-  metadata.gz: 3bb546944fd6a331ffaeba21130ce6253d372300b3ff3b7252d7d8da934a5ae7b4f95503128855e19fa5f860ef4e9868103f4212e068c556f0f9908ed051f0dc
-  data.tar.gz: 0d2f779dbfd416d92ec46774178f7556dfdac7e5c3e70b54a816de32af5f849493da8771e679e7555209e9ea2ab62702e574bc1a9416a328e9afbc74ac8a4306
+  metadata.gz: 12136553e963ed98012887215d1f21efd31c2a3bacd40ada6836ca3884680cb4ac6a8c7a1fabaa7fc8699c0ba6db9f20418ae068a74694daef8db1d13e506933
+  data.tar.gz: 1faab9e89cf122660fb277df551ba026685cefeaa2fba9d83b590a5a18d4c4dc1202712ecf404c2998eb12c27a1219bd548944ef5f65daaad79371163ca66b43

data/lib/generators/graphql/templates/schema.erb

@@ -26,6 +26,9 @@ class <%= schema_name %> < GraphQL::Schema
     raise(GraphQL::RequiredImplementationMissingError)
   end
 
+  # Limit the size of incoming queries:
+  max_query_string_tokens(5000)
+
   # Stop validating when it encounters this many errors:
   validate_max_errors(100)
 end

data/lib/graphql/analysis/ast/field_usage.rb

@@ -41,7 +41,9 @@ module GraphQL
               @used_deprecated_arguments << argument.definition.path
             end
 
-            next if argument.value.nil?
+            arg_val = argument.value
+
+            next if arg_val.nil?
 
             argument_type = argument.definition.type
             if argument_type.non_null?
@@ -49,18 +51,18 @@ module GraphQL
             end
 
             if argument_type.kind.input_object?
-              extract_deprecated_arguments(argument.value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
+              extract_deprecated_arguments(argument.original_value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
             elsif argument_type.kind.enum?
-              extract_deprecated_enum_value(argument_type, argument.value)
+              extract_deprecated_enum_value(argument_type, arg_val)
             elsif argument_type.list?
               inner_type = argument_type.unwrap
               case inner_type.kind
               when TypeKinds::INPUT_OBJECT
-                argument.value.each do |value|
+                argument.original_value.each do |value|
                   extract_deprecated_arguments(value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
                 end
               when TypeKinds::ENUM
-                argument.value.each do |value|
+                arg_val.each do |value|
                   extract_deprecated_enum_value(inner_type, value)
                 end
               else

data/lib/graphql/analysis/ast/visitor.rb

@@ -118,8 +118,12 @@ module GraphQL
         def on_inline_fragment(node, parent)
           on_fragment_with_type(node) do
             @path.push("...#{node.type ? " on #{node.type.name}" : ""}")
+            @skipping = @skip_stack.last || skip?(node)
+            @skip_stack << @skipping
+
             call_on_enter_inline_fragment(node, parent)
             super
+            @skipping = @skip_stack.pop
             call_on_leave_inline_fragment(node, parent)
           end
         end
@@ -187,9 +191,13 @@ module GraphQL
 
         def on_fragment_spread(node, parent)
           @path.push("... #{node.name}")
+          @skipping = @skip_stack.last || skip?(node)
+          @skip_stack << @skipping
+
           call_on_enter_fragment_spread(node, parent)
           enter_fragment_spread_inline(node)
           super
+          @skipping = @skip_stack.pop
           leave_fragment_spread_inline(node)
           call_on_leave_fragment_spread(node, parent)
           @path.pop

data/lib/graphql/backtrace/inspect_result.rb

@@ -16,12 +16,6 @@ module GraphQL
           "[" +
             obj.map { |v| inspect_truncated(v) }.join(", ") +
             "]"
-        when Query::Context::SharedMethods
-          if obj.invalid_null?
-            "nil"
-          else
-            inspect_truncated(obj.value)
-          end
         else
           inspect_truncated(obj)
         end
@@ -33,12 +27,6 @@ module GraphQL
           "{...}"
         when Array
           "[...]"
-        when Query::Context::SharedMethods
-          if obj.invalid_null?
-            "nil"
-          else
-            inspect_truncated(obj.value)
-          end
         when GraphQL::Execution::Lazy
           "(unresolved)"
         else

data/lib/graphql/execution/interpreter/argument_value.rb

@@ -6,15 +6,19 @@ module GraphQL
       # A container for metadata regarding arguments present in a GraphQL query.
       # @see Interpreter::Arguments#argument_values for a hash of these objects.
       class ArgumentValue
-        def initialize(definition:, value:, default_used:)
+        def initialize(definition:, value:, original_value:, default_used:)
           @definition = definition
           @value = value
+          @original_value = original_value
           @default_used = default_used
         end
 
         # @return [Object] The Ruby-ready value for this Argument
         attr_reader :value
 
+        # @return [Object] The value of this argument _before_ `prepare` is applied.
+        attr_reader :original_value
+
         # @return [GraphQL::Schema::Argument] The definition instance for this argument
         attr_reader :definition
 

data/lib/graphql/language/document_from_schema_definition.rb

@@ -24,7 +24,7 @@ module GraphQL
         @include_built_in_directives = include_built_in_directives
         @include_one_of = false
 
-        schema_context = schema.context_class.new(query: nil, object: nil, schema: schema, values: context)
+        schema_context = schema.context_class.new(query: nil, schema: schema, values: context)
 
 
         @warden = @schema.warden_class.new(

data/lib/graphql/language/lexer.rb

@@ -3,7 +3,7 @@ module GraphQL
   module Language
 
     class Lexer
-      def initialize(graphql_str, filename: nil)
+      def initialize(graphql_str, filename: nil, max_tokens: nil)
         if !(graphql_str.encoding == Encoding::UTF_8 || graphql_str.ascii_only?)
           graphql_str = graphql_str.dup.force_encoding(Encoding::UTF_8)
         end
@@ -11,6 +11,8 @@ module GraphQL
         @filename = filename
         @scanner = StringScanner.new(graphql_str)
         @pos = nil
+        @max_tokens = max_tokens || Float::INFINITY
+        @tokens_count = 0
       end
 
       def eos?
@@ -22,6 +24,10 @@ module GraphQL
       def advance
         @scanner.skip(IGNORE_REGEXP)
         return false if @scanner.eos?
+        @tokens_count += 1
+        if @tokens_count > @max_tokens
+          raise_parse_error("This query is too large to execute.")
+        end
         @pos = @scanner.pos
         next_byte = @string.getbyte(@pos)
         next_byte_is_for = FIRST_BYTES[next_byte]
@@ -52,6 +58,17 @@ module GraphQL
           :IDENTIFIER
         when ByteFor::NUMBER
           @scanner.skip(NUMERIC_REGEXP)
+
+          if GraphQL.reject_numbers_followed_by_names
+            new_pos = @scanner.pos
+            peek_byte = @string.getbyte(new_pos)
+            next_first_byte = FIRST_BYTES[peek_byte]
+            if next_first_byte == ByteFor::NAME || next_first_byte == ByteFor::IDENTIFIER
+              number_part = token_value
+              name_part = @scanner.scan(IDENTIFIER_REGEXP)
+              raise_parse_error("Name after number is not allowed (in `#{number_part}#{name_part}`)")
+            end
+          end
           # Check for a matched decimal:
           @scanner[1] ? :FLOAT : :INT
         when ByteFor::ELLIPSIS
@@ -109,29 +126,27 @@ module GraphQL
       }
       UTF_8 = /\\u(?:([\dAa-f]{4})|\{([\da-f]{4,})\})(?:\\u([\dAa-f]{4}))?/i
       VALID_STRING = /\A(?:[^\\]|#{ESCAPES}|#{UTF_8})*\z/o
+      ESCAPED = /(?:#{ESCAPES}|#{UTF_8})/o
 
       def string_value
         str = token_value
         is_block = str.start_with?('"""')
         if is_block
           str.gsub!(/\A"""|"""\z/, '')
+          return Language::BlockString.trim_whitespace(str)
         else
           str.gsub!(/\A"|"\z/, '')
-        end
-
-        if is_block
-          str = Language::BlockString.trim_whitespace(str)
-        end
-
-        if !str.valid_encoding? || !str.match?(VALID_STRING)
-          raise_parse_error("Bad unicode escape in #{str.inspect}")
-        else
-          Lexer.replace_escaped_characters_in_place(str)
 
-          if !str.valid_encoding?
+          if !str.valid_encoding? || !str.match?(VALID_STRING)
             raise_parse_error("Bad unicode escape in #{str.inspect}")
           else
-            str
+            Lexer.replace_escaped_characters_in_place(str)
+
+            if !str.valid_encoding?
+              raise_parse_error("Bad unicode escape in #{str.inspect}")
+            else
+              str
+            end
           end
         end
       end
@@ -158,6 +173,7 @@ module GraphQL
       INT_REGEXP =        /-?(?:[0]|[1-9][0-9]*)/
       FLOAT_DECIMAL_REGEXP = /[.][0-9]+/
       FLOAT_EXP_REGEXP =     /[eE][+-]?[0-9]+/
+      # TODO: FLOAT_EXP_REGEXP should not be allowed to follow INT_REGEXP, integers are not allowed to have exponent parts.
       NUMERIC_REGEXP =  /#{INT_REGEXP}(#{FLOAT_DECIMAL_REGEXP}#{FLOAT_EXP_REGEXP}|#{FLOAT_DECIMAL_REGEXP}|#{FLOAT_EXP_REGEXP})?/
 
       KEYWORDS = [
@@ -252,11 +268,10 @@ module GraphQL
       FOUR_DIGIT_UNICODE = /#{UNICODE_DIGIT}{4}/
       N_DIGIT_UNICODE = %r{#{Punctuation::LCURLY}#{UNICODE_DIGIT}{4,}#{Punctuation::RCURLY}}x
       UNICODE_ESCAPE = %r{\\u(?:#{FOUR_DIGIT_UNICODE}|#{N_DIGIT_UNICODE})}
-      # # https://graphql.github.io/graphql-spec/June2018/#sec-String-Value
       STRING_ESCAPE = %r{[\\][\\/bfnrt]}
       BLOCK_QUOTE =   '"""'
       ESCAPED_QUOTE = /\\"/;
-      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
+      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\\n\r]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
       QUOTED_STRING_REGEXP = %r{#{QUOTE} (?:#{STRING_CHAR})* #{QUOTE}}x
       BLOCK_STRING_REGEXP = %r{
         #{BLOCK_QUOTE}
@@ -301,24 +316,25 @@ module GraphQL
       # Replace any escaped unicode or whitespace with the _actual_ characters
       # To avoid allocating more strings, this modifies the string passed into it
       def self.replace_escaped_characters_in_place(raw_string)
-        raw_string.gsub!(ESCAPES, ESCAPES_REPLACE)
-        raw_string.gsub!(UTF_8) do |_matched_str|
-          codepoint_1 = ($1 || $2).to_i(16)
-          codepoint_2 = $3
-
-          if codepoint_2
-            codepoint_2 = codepoint_2.to_i(16)
-            if (codepoint_1 >= 0xD800 && codepoint_1 <= 0xDBFF) && # leading surrogate
-                (codepoint_2 >= 0xDC00 && codepoint_2 <= 0xDFFF) # trailing surrogate
-              # A surrogate pair
-              combined = ((codepoint_1 - 0xD800) * 0x400) + (codepoint_2 - 0xDC00) + 0x10000
-              [combined].pack('U'.freeze)
+        raw_string.gsub!(ESCAPED) do |matched_str|
+          if (point_str_1 = $1 || $2)
+            codepoint_1 = point_str_1.to_i(16)
+            if (codepoint_2 = $3)
+              codepoint_2 = codepoint_2.to_i(16)
+              if (codepoint_1 >= 0xD800 && codepoint_1 <= 0xDBFF) && # leading surrogate
+                  (codepoint_2 >= 0xDC00 && codepoint_2 <= 0xDFFF) # trailing surrogate
+                # A surrogate pair
+                combined = ((codepoint_1 - 0xD800) * 0x400) + (codepoint_2 - 0xDC00) + 0x10000
+                [combined].pack('U'.freeze)
+              else
+                # Two separate code points
+                [codepoint_1].pack('U'.freeze) + [codepoint_2].pack('U'.freeze)
+              end
             else
-              # Two separate code points
-              [codepoint_1].pack('U'.freeze) + [codepoint_2].pack('U'.freeze)
+              [codepoint_1].pack('U'.freeze)
             end
           else
-            [codepoint_1].pack('U'.freeze)
+            ESCAPES_REPLACE[matched_str]
           end
         end
         nil

data/lib/graphql/language/parser.rb

@@ -12,8 +12,8 @@ module GraphQL
       class << self
         attr_accessor :cache
 
-        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace)
-          self.new(graphql_str, filename: filename, trace: trace).parse
+        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
+          self.new(graphql_str, filename: filename, trace: trace, max_tokens: max_tokens).parse
         end
 
         def parse_file(filename, trace: Tracing::NullTrace)
@@ -27,14 +27,15 @@ module GraphQL
         end
       end
 
-      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace)
+      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
         if graphql_str.nil?
           raise GraphQL::ParseError.new("No query string was present", nil, nil, nil)
         end
-        @lexer = Lexer.new(graphql_str, filename: filename)
+        @lexer = Lexer.new(graphql_str, filename: filename, max_tokens: max_tokens)
         @graphql_str = graphql_str
         @filename = filename
         @trace = trace
+        @dedup_identifiers = false
       end
 
       def parse
@@ -732,6 +733,9 @@ module GraphQL
       # Only use when we care about the expected token's value
       def expect_token_value(tok)
         token_value = @lexer.token_value
+        if @dedup_identifiers
+          token_value = -token_value
+        end
         expect_token(tok)
         token_value
       end
@@ -741,6 +745,12 @@ module GraphQL
       def debug_token_value
         @lexer.debug_token_value(token_name)
       end
+      class SchemaParser < Parser
+        def initialize(*args, **kwargs)
+          super
+          @dedup_identifiers = true
+        end
+      end
     end
   end
 end

data/lib/graphql/language.rb

@@ -12,6 +12,7 @@ require "graphql/language/static_visitor"
 require "graphql/language/token"
 require "graphql/language/visitor"
 require "graphql/language/definition_slice"
+require "strscan"
 
 module GraphQL
   module Language
@@ -32,6 +33,65 @@ module GraphQL
       else
         JSON.generate(value, quirks_mode: true)
       end
+    rescue JSON::GeneratorError
+      if Float::INFINITY == value
+        "Infinity"
+      else
+        raise
+      end
+    end
+
+    # Returns a new string if any single-quoted newlines were escaped.
+    # Otherwise, returns `query_str` unchanged.
+    # @return [String]
+    def self.escape_single_quoted_newlines(query_str)
+      scanner = StringScanner.new(query_str)
+      inside_single_quoted_string = false
+      new_query_str = nil
+      while !scanner.eos?
+        if (match = scanner.scan(/(?:\\"|[^"\n\r]|""")+/m)) && new_query_str
+          new_query_str << match
+        elsif scanner.scan('"')
+          new_query_str && (new_query_str << '"')
+          inside_single_quoted_string = !inside_single_quoted_string
+        elsif scanner.scan("\n")
+          if inside_single_quoted_string
+            new_query_str ||= query_str[0, scanner.pos - 1]
+            new_query_str << '\\n'
+          else
+            new_query_str && (new_query_str << "\n")
+          end
+        elsif scanner.scan("\r")
+          if inside_single_quoted_string
+            new_query_str ||= query_str[0, scanner.pos - 1]
+            new_query_str << '\\r'
+          else
+            new_query_str && (new_query_str << "\r")
+          end
+        elsif scanner.eos?
+          break
+        else
+          raise ArgumentError, "Unmatchable string scanner segment: #{scanner.rest.inspect}"
+        end
+      end
+      new_query_str || query_str
+    end
+
+    INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP = %r{
+      (
+        ((?<num>#{Lexer::INT_REGEXP}(#{Lexer::FLOAT_EXP_REGEXP})?)(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP}#{Lexer::FLOAT_EXP_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+      )}x
+
+    def self.add_space_between_numbers_and_names(query_str)
+      if query_str.match?(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP)
+        query_str.gsub(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP, "\\k<num> \\k<name>:")
+      else
+        query_str
+      end
     end
   end
 end

data/lib/graphql/query/context.rb

@@ -6,36 +6,6 @@ module GraphQL
     # Expose some query-specific info to field resolve functions.
     # It delegates `[]` to the hash that's passed to `GraphQL::Query#initialize`.
     class Context
-      module SharedMethods
-        # Return this value to tell the runtime
-        # to exclude this field from the response altogether
-        def skip
-          GraphQL::Execution::SKIP
-        end
-
-        # Add error at query-level.
-        # @param error [GraphQL::ExecutionError] an execution error
-        # @return [void]
-        def add_error(error)
-          if !error.is_a?(ExecutionError)
-            raise TypeError, "expected error to be a ExecutionError, but was #{error.class}"
-          end
-          errors << error
-          nil
-        end
-
-        # @example Print the GraphQL backtrace during field resolution
-        #   puts ctx.backtrace
-        #
-        # @return [GraphQL::Backtrace] The backtrace for this point in query execution
-        def backtrace
-          GraphQL::Backtrace.new(self)
-        end
-
-        def execution_errors
-          @execution_errors ||= ExecutionErrors.new(self)
-        end
-      end
 
       class ExecutionErrors
         def initialize(ctx)
@@ -59,7 +29,6 @@ module GraphQL
         alias :push :add
       end
 
-      include SharedMethods
       extend Forwardable
 
       # @return [Array<GraphQL::ExecutionError>] errors returned during execution
@@ -77,11 +46,10 @@ module GraphQL
       # Make a new context which delegates key lookup to `values`
       # @param query [GraphQL::Query] the query who owns this context
       # @param values [Hash] A hash of arbitrary values which will be accessible at query-time
-      def initialize(query:, schema: query.schema, values:, object:)
+      def initialize(query:, schema: query.schema, values:)
         @query = query
         @schema = schema
         @provided_values = values || {}
-        @object = object
         # Namespaced storage, where user-provided values are in `nil` namespace:
         @storage = Hash.new { |h, k| h[k] = {} }
         @storage[nil] = @provided_values
@@ -140,6 +108,35 @@ module GraphQL
         end
       end
 
+      # Return this value to tell the runtime
+      # to exclude this field from the response altogether
+      def skip
+        GraphQL::Execution::SKIP
+      end
+
+      # Add error at query-level.
+      # @param error [GraphQL::ExecutionError] an execution error
+      # @return [void]
+      def add_error(error)
+        if !error.is_a?(ExecutionError)
+          raise TypeError, "expected error to be a ExecutionError, but was #{error.class}"
+        end
+        errors << error
+        nil
+      end
+
+      # @example Print the GraphQL backtrace during field resolution
+      #   puts ctx.backtrace
+      #
+      # @return [GraphQL::Backtrace] The backtrace for this point in query execution
+      def backtrace
+        GraphQL::Backtrace.new(self)
+      end
+
+      def execution_errors
+        @execution_errors ||= ExecutionErrors.new(self)
+      end
+
       def current_path
         current_runtime_state = Thread.current[:__graphql_runtime_info]
         query_runtime_state = current_runtime_state && current_runtime_state[@query]

data/lib/graphql/query.rb

@@ -99,7 +99,7 @@ module GraphQL
       # Even if `variables: nil` is passed, use an empty hash for simpler logic
       variables ||= {}
       @schema = schema
-      @context = schema.context_class.new(query: self, object: root_value, values: context)
+      @context = schema.context_class.new(query: self, values: context)
       @warden = warden
       @subscription_topic = subscription_topic
       @root_value = root_value
@@ -395,7 +395,7 @@ module GraphQL
       parse_error = nil
       @document ||= begin
         if query_string
-          GraphQL.parse(query_string, trace: self.current_trace)
+          GraphQL.parse(query_string, trace: self.current_trace, max_tokens: @schema.max_query_string_tokens)
         end
       rescue GraphQL::ParseError => err
         parse_error = err

data/lib/graphql/schema/argument.rb

@@ -290,6 +290,7 @@ module GraphQL
             # TODO code smell to access such a deeply-nested constant in a distant module
             argument_values[arg_key] = GraphQL::Execution::Interpreter::ArgumentValue.new(
               value: resolved_loaded_value,
+              original_value: resolved_coerced_value,
               definition: self,
               default_used: default_used,
             )

data/lib/graphql/schema/build_from_definition.rb

@@ -7,10 +7,16 @@ module GraphQL
       class << self
         # @see {Schema.from_definition}
         def from_definition(schema_superclass, definition_string, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse(definition_string), **kwargs)
         end
 
         def from_definition_path(schema_superclass, definition_path, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse_file(definition_path), **kwargs)
         end
 
@@ -120,10 +126,12 @@ module GraphQL
 
           builder = self
 
+          found_types = types.values
           schema_class = Class.new(schema_superclass) do
             begin
               # Add these first so that there's some chance of resolving late-bound types
-              orphan_types types.values
+              add_type_and_traverse(found_types, root: false)
+              orphan_types(found_types.select { |t| t.respond_to?(:kind) && t.kind.object? })
               query query_root_type
               mutation mutation_root_type
               subscription subscription_root_type

data/lib/graphql/schema/input_object.rb

@@ -215,8 +215,7 @@ module GraphQL
             if resolved_arguments.is_a?(GraphQL::Error)
               raise resolved_arguments
             else
-              input_obj_instance = self.new(resolved_arguments, ruby_kwargs: resolved_arguments.keyword_arguments, context: ctx, defaults_used: nil)
-              input_obj_instance.prepare
+              self.new(resolved_arguments, ruby_kwargs: resolved_arguments.keyword_arguments, context: ctx, defaults_used: nil)
             end
           end
         end

data/lib/graphql/schema/loader.rb

@@ -32,7 +32,8 @@ module GraphQL
         end
 
         Class.new(GraphQL::Schema) do
-          orphan_types(types.values)
+          add_type_and_traverse(types.values, root: false)
+          orphan_types(types.values.select { |t| t.kind.object? })
           directives(directives)
           description(schema["description"])
 

data/lib/graphql/schema/mutation.rb

@@ -62,6 +62,13 @@ module GraphQL
       extend GraphQL::Schema::Member::HasFields
       extend GraphQL::Schema::Resolver::HasPayloadType
 
+      # @api private
+      def call_resolve(_args_hash)
+        # Clear any cached values from `loads` or authorization:
+        dataloader.clear_cache
+        super
+      end
+
       class << self
         def visible?(context)
           true

data/lib/graphql/schema/resolver.rb

@@ -103,11 +103,7 @@ module GraphQL
                   end
                 elsif authorized_val
                   # Finally, all the hooks have passed, so resolve it
-                  if loaded_args.any?
-                    public_send(self.class.resolve_method, **loaded_args)
-                  else
-                    public_send(self.class.resolve_method)
-                  end
+                  call_resolve(loaded_args)
                 else
                   raise GraphQL::UnauthorizedFieldError.new(context: context, object: object, type: field.owner, field: field)
                 end
@@ -117,6 +113,15 @@ module GraphQL
         end
       end
 
+      # @api private {GraphQL::Schema::Mutation} uses this to clear the dataloader cache
+      def call_resolve(args_hash)
+        if args_hash.any?
+          public_send(self.class.resolve_method, **args_hash)
+        else
+          public_send(self.class.resolve_method)
+        end
+      end
+
       # Do the work. Everything happens here.
       # @return [Object] An object corresponding to the return type
       def resolve(**args)

data/lib/graphql/schema.rb

@@ -643,6 +643,17 @@ module GraphQL
         end
       end
 
+      # A limit on the number of tokens to accept on incoming query strings.
+      # Use this to prevent parsing maliciously-large query strings.
+      # @return [nil, Integer]
+      def max_query_string_tokens(new_max_tokens = NOT_CONFIGURED)
+        if NOT_CONFIGURED.equal?(new_max_tokens)
+          defined?(@max_query_string_tokens) ? @max_query_string_tokens : find_inherited_value(:max_query_string_tokens)
+        else
+          @max_query_string_tokens = new_max_tokens
+        end
+      end
+
       def default_page_size(new_default_page_size = nil)
         if new_default_page_size
           @default_page_size = new_default_page_size
@@ -861,6 +872,17 @@ module GraphQL
       def orphan_types(*new_orphan_types)
         if new_orphan_types.any?
           new_orphan_types = new_orphan_types.flatten
+          non_object_types = new_orphan_types.reject { |ot| ot.is_a?(Class) && ot < GraphQL::Schema::Object }
+          if non_object_types.any?
+            raise ArgumentError, <<~ERR
+              Only object type classes should be added as `orphan_types(...)`.
+
+              - Remove these no-op types from `orphan_types`: #{non_object_types.map { |t| "#{t.inspect} (#{t.kind.name})"}.join(", ")}
+              - See https://graphql-ruby.org/type_definitions/interfaces.html#orphan-types
+
+              To add other types to your schema, you might want `extra_types`: https://graphql-ruby.org/schema/definition.html#extra-types
+            ERR
+          end
           add_type_and_traverse(new_orphan_types, root: false)
           own_orphan_types.concat(new_orphan_types.flatten)
         end
@@ -1129,7 +1151,11 @@ module GraphQL
         }.freeze
       end
 
-      def tracer(new_tracer)
+      def tracer(new_tracer, silence_deprecation_warning: false)
+        if !silence_deprecation_warning
+          warn("`Schema.tracer(#{new_tracer.inspect})` is deprecated; use module-based `trace_with` instead. See: https://graphql-ruby.org/queries/tracing.html")
+          warn "  #{caller(1, 1).first}"
+        end
         default_trace = trace_class_for(:default, build: true)
         if default_trace.nil? || !(default_trace < GraphQL::Tracing::CallLegacyTracers)
           trace_with(GraphQL::Tracing::CallLegacyTracers)

data/lib/graphql/testing/helpers.rb

@@ -39,9 +39,9 @@ module GraphQL
         end
       end
 
-      def run_graphql_field(schema, field_path, object, arguments: {}, context: {})
+      def run_graphql_field(schema, field_path, object, arguments: {}, context: {}, ast_node: nil, lookahead: nil)
         type_name, *field_names = field_path.split(".")
-        dummy_query = GraphQL::Query.new(schema, context: context)
+        dummy_query = GraphQL::Query.new(schema, "{ __typename }", context: context)
         query_context = dummy_query.context
         object_type = dummy_query.get_type(type_name) # rubocop:disable Development/ContextIsPassedCop
         if object_type
@@ -57,6 +57,28 @@ module GraphQL
               dummy_query.context.dataloader.run_isolated {
                 field_args = visible_field.coerce_arguments(graphql_result, arguments, query_context)
                 field_args = schema.sync_lazy(field_args)
+                if visible_field.extras.any?
+                  extra_args = {}
+                  visible_field.extras.each do |extra|
+                    extra_args[extra] = case extra
+                    when :ast_node
+                      ast_node ||= GraphQL::Language::Nodes::Field.new(name: visible_field.graphql_name)
+                    when :lookahead
+                      lookahead ||= begin
+                        ast_node ||= GraphQL::Language::Nodes::Field.new(name: visible_field.graphql_name)
+                        Execution::Lookahead.new(
+                          query: dummy_query,
+                          ast_nodes: [ast_node],
+                          field: visible_field,
+                        )
+                      end
+                    else
+                      raise ArgumentError, "This extra isn't supported in `run_graphql_field` yet: `#{extra.inspect}`. Open an issue on GitHub to request it: https://github.com/rmosolgo/graphql-ruby/issues/new"
+                    end
+                  end
+
+                  field_args = field_args.merge_extras(extra_args)
+                end
                 graphql_result = visible_field.resolve(graphql_result, field_args.keyword_arguments, query_context)
                 graphql_result = schema.sync_lazy(graphql_result)
               }

data/lib/graphql/tracing/platform_tracing.rb

@@ -86,7 +86,7 @@ module GraphQL
           else
             warn("`use(#{self.name})` and `Tracing::PlatformTracing` are deprecated. Use a `trace_with(...)` module instead. More info: https://graphql-ruby.org/queries/tracing.html. Please open an issue on the GraphQL-Ruby repo if you want to discuss further!")
             tracer = self.new(**options)
-            schema_defn.tracer(tracer)
+          schema_defn.tracer(tracer, silence_deprecation_warning: true)
           end
         end
       end

data/lib/graphql/tracing/prometheus_trace.rb

@@ -24,8 +24,8 @@ module GraphQL
         'execute_query_lazy' => "graphql.execute",
       }.each do |trace_method, platform_key|
         module_eval <<-RUBY, __FILE__, __LINE__
-          def #{trace_method}(**data, &block)
-            instrument_execution("#{platform_key}", "#{trace_method}", &block)
+          def #{trace_method}(**data)
+            instrument_execution("#{platform_key}", "#{trace_method}") { super }
           end
         RUBY
       end

data/lib/graphql/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module GraphQL
-  VERSION = "2.2.14"
+  VERSION = "2.3.1"
 end

data/lib/graphql.rb

@@ -42,8 +42,8 @@ This is probably a bug in GraphQL-Ruby, please report this error on GitHub: http
   # Turn a query string or schema definition into an AST
   # @param graphql_string [String] a GraphQL query string or schema definition
   # @return [GraphQL::Language::Nodes::Document]
-  def self.parse(graphql_string, trace: GraphQL::Tracing::NullTrace, filename: nil)
-    default_parser.parse(graphql_string, trace: trace, filename: filename)
+  def self.parse(graphql_string, trace: GraphQL::Tracing::NullTrace, filename: nil, max_tokens: nil)
+    default_parser.parse(graphql_string, trace: trace, filename: filename, max_tokens: max_tokens)
   end
 
   # Read the contents of `filename` and parse them as GraphQL
@@ -74,6 +74,13 @@ This is probably a bug in GraphQL-Ruby, please report this error on GitHub: http
     EMPTY_HASH = {}.freeze
     EMPTY_ARRAY = [].freeze
   end
+
+  class << self
+    # If true, the parser should raise when an integer or float is followed immediately by an identifier (instead of a space or punctuation)
+    attr_accessor :reject_numbers_followed_by_names
+  end
+
+  self.reject_numbers_followed_by_names = false
 end
 
 # Order matters for these:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: graphql
 version: !ruby/object:Gem::Version
-  version: 2.2.14
+  version: 2.3.1
 platform: ruby
 authors:
 - Robert Mosolgo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-18 00:00:00.000000000 Z
+date: 2024-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64