graphql 2.2.5 → 2.3.2

data/lib/graphql/language/lexer.rb

@@ -3,7 +3,7 @@ module GraphQL
   module Language
 
     class Lexer
-      def initialize(graphql_str, filename: nil)
+      def initialize(graphql_str, filename: nil, max_tokens: nil)
         if !(graphql_str.encoding == Encoding::UTF_8 || graphql_str.ascii_only?)
           graphql_str = graphql_str.dup.force_encoding(Encoding::UTF_8)
         end
@@ -11,6 +11,8 @@ module GraphQL
         @filename = filename
         @scanner = StringScanner.new(graphql_str)
         @pos = nil
+        @max_tokens = max_tokens || Float::INFINITY
+        @tokens_count = 0
       end
 
       def eos?
@@ -22,6 +24,10 @@ module GraphQL
       def advance
         @scanner.skip(IGNORE_REGEXP)
         return false if @scanner.eos?
+        @tokens_count += 1
+        if @tokens_count > @max_tokens
+          raise_parse_error("This query is too large to execute.")
+        end
         @pos = @scanner.pos
         next_byte = @string.getbyte(@pos)
         next_byte_is_for = FIRST_BYTES[next_byte]
@@ -52,6 +58,17 @@ module GraphQL
           :IDENTIFIER
         when ByteFor::NUMBER
           @scanner.skip(NUMERIC_REGEXP)
+
+          if GraphQL.reject_numbers_followed_by_names
+            new_pos = @scanner.pos
+            peek_byte = @string.getbyte(new_pos)
+            next_first_byte = FIRST_BYTES[peek_byte]
+            if next_first_byte == ByteFor::NAME || next_first_byte == ByteFor::IDENTIFIER
+              number_part = token_value
+              name_part = @scanner.scan(IDENTIFIER_REGEXP)
+              raise_parse_error("Name after number is not allowed (in `#{number_part}#{name_part}`)")
+            end
+          end
           # Check for a matched decimal:
           @scanner[1] ? :FLOAT : :INT
         when ByteFor::ELLIPSIS
@@ -89,6 +106,8 @@ module GraphQL
           "..."
         elsif token_name == :STRING
           string_value
+        elsif @scanner.matched_size.nil?
+          @scanner.peek(1)
         else
           token_value
         end
@@ -107,29 +126,27 @@ module GraphQL
       }
       UTF_8 = /\\u(?:([\dAa-f]{4})|\{([\da-f]{4,})\})(?:\\u([\dAa-f]{4}))?/i
       VALID_STRING = /\A(?:[^\\]|#{ESCAPES}|#{UTF_8})*\z/o
+      ESCAPED = /(?:#{ESCAPES}|#{UTF_8})/o
 
       def string_value
         str = token_value
         is_block = str.start_with?('"""')
         if is_block
           str.gsub!(/\A"""|"""\z/, '')
+          return Language::BlockString.trim_whitespace(str)
         else
           str.gsub!(/\A"|"\z/, '')
-        end
-
-        if is_block
-          str = Language::BlockString.trim_whitespace(str)
-        end
-
-        if !str.valid_encoding? || !str.match?(VALID_STRING)
-          raise_parse_error("Bad unicode escape in #{str.inspect}")
-        else
-          Lexer.replace_escaped_characters_in_place(str)
 
-          if !str.valid_encoding?
+          if !str.valid_encoding? || !str.match?(VALID_STRING)
             raise_parse_error("Bad unicode escape in #{str.inspect}")
           else
-            str
+            Lexer.replace_escaped_characters_in_place(str)
+
+            if !str.valid_encoding?
+              raise_parse_error("Bad unicode escape in #{str.inspect}")
+            else
+              str
+            end
           end
         end
       end
@@ -156,6 +173,7 @@ module GraphQL
       INT_REGEXP =        /-?(?:[0]|[1-9][0-9]*)/
       FLOAT_DECIMAL_REGEXP = /[.][0-9]+/
       FLOAT_EXP_REGEXP =     /[eE][+-]?[0-9]+/
+      # TODO: FLOAT_EXP_REGEXP should not be allowed to follow INT_REGEXP, integers are not allowed to have exponent parts.
       NUMERIC_REGEXP =  /#{INT_REGEXP}(#{FLOAT_DECIMAL_REGEXP}#{FLOAT_EXP_REGEXP}|#{FLOAT_DECIMAL_REGEXP}|#{FLOAT_EXP_REGEXP})?/
 
       KEYWORDS = [
@@ -250,11 +268,10 @@ module GraphQL
       FOUR_DIGIT_UNICODE = /#{UNICODE_DIGIT}{4}/
       N_DIGIT_UNICODE = %r{#{Punctuation::LCURLY}#{UNICODE_DIGIT}{4,}#{Punctuation::RCURLY}}x
       UNICODE_ESCAPE = %r{\\u(?:#{FOUR_DIGIT_UNICODE}|#{N_DIGIT_UNICODE})}
-      # # https://graphql.github.io/graphql-spec/June2018/#sec-String-Value
       STRING_ESCAPE = %r{[\\][\\/bfnrt]}
       BLOCK_QUOTE =   '"""'
       ESCAPED_QUOTE = /\\"/;
-      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
+      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\\n\r]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
       QUOTED_STRING_REGEXP = %r{#{QUOTE} (?:#{STRING_CHAR})* #{QUOTE}}x
       BLOCK_STRING_REGEXP = %r{
         #{BLOCK_QUOTE}
@@ -299,24 +316,25 @@ module GraphQL
       # Replace any escaped unicode or whitespace with the _actual_ characters
       # To avoid allocating more strings, this modifies the string passed into it
       def self.replace_escaped_characters_in_place(raw_string)
-        raw_string.gsub!(ESCAPES, ESCAPES_REPLACE)
-        raw_string.gsub!(UTF_8) do |_matched_str|
-          codepoint_1 = ($1 || $2).to_i(16)
-          codepoint_2 = $3
-
-          if codepoint_2
-            codepoint_2 = codepoint_2.to_i(16)
-            if (codepoint_1 >= 0xD800 && codepoint_1 <= 0xDBFF) && # leading surrogate
-                (codepoint_2 >= 0xDC00 && codepoint_2 <= 0xDFFF) # trailing surrogate
-              # A surrogate pair
-              combined = ((codepoint_1 - 0xD800) * 0x400) + (codepoint_2 - 0xDC00) + 0x10000
-              [combined].pack('U'.freeze)
+        raw_string.gsub!(ESCAPED) do |matched_str|
+          if (point_str_1 = $1 || $2)
+            codepoint_1 = point_str_1.to_i(16)
+            if (codepoint_2 = $3)
+              codepoint_2 = codepoint_2.to_i(16)
+              if (codepoint_1 >= 0xD800 && codepoint_1 <= 0xDBFF) && # leading surrogate
+                  (codepoint_2 >= 0xDC00 && codepoint_2 <= 0xDFFF) # trailing surrogate
+                # A surrogate pair
+                combined = ((codepoint_1 - 0xD800) * 0x400) + (codepoint_2 - 0xDC00) + 0x10000
+                [combined].pack('U'.freeze)
+              else
+                # Two separate code points
+                [codepoint_1].pack('U'.freeze) + [codepoint_2].pack('U'.freeze)
+              end
             else
-              # Two separate code points
-              [codepoint_1].pack('U'.freeze) + [codepoint_2].pack('U'.freeze)
+              [codepoint_1].pack('U'.freeze)
             end
           else
-            [codepoint_1].pack('U'.freeze)
+            ESCAPES_REPLACE[matched_str]
           end
         end
         nil

data/lib/graphql/language/nodes.rb

@@ -362,6 +362,7 @@ module GraphQL
           arguments: Nodes::Argument,
           locations: Nodes::DirectiveLocation,
         )
+        self.children_method_name = :definitions
       end
 
       # An enum value. The string is available as {#name}.
@@ -512,7 +513,7 @@ module GraphQL
       # An operation-level query variable
       class VariableDefinition < AbstractNode
         scalar_methods :name, :type, :default_value
-        children_methods false
+        children_methods(directives: Directive)
         # @!attribute default_value
         #   @return [String, Integer, Float, Boolean, Array, NullValue] A Ruby value to use if no other value is provided
 

data/lib/graphql/language/parser.rb

@@ -12,8 +12,8 @@ module GraphQL
       class << self
         attr_accessor :cache
 
-        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace)
-          self.new(graphql_str, filename: filename, trace: trace).parse
+        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
+          self.new(graphql_str, filename: filename, trace: trace, max_tokens: max_tokens).parse
         end
 
         def parse_file(filename, trace: Tracing::NullTrace)
@@ -27,14 +27,15 @@ module GraphQL
         end
       end
 
-      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace)
+      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
         if graphql_str.nil?
           raise GraphQL::ParseError.new("No query string was present", nil, nil, nil)
         end
-        @lexer = Lexer.new(graphql_str, filename: filename)
+        @lexer = Lexer.new(graphql_str, filename: filename, max_tokens: max_tokens)
         @graphql_str = graphql_str
         @filename = filename
         @trace = trace
+        @dedup_identifiers = false
       end
 
       def parse
@@ -121,7 +122,17 @@ module GraphQL
                 value
               end
 
-              defs << Nodes::VariableDefinition.new(pos: loc, name: var_name, type: var_type, default_value: default_value, filename: @filename, source_string: @graphql_str)
+              directives = parse_directives
+
+              defs << Nodes::VariableDefinition.new(
+                pos: loc,
+                name: var_name,
+                type: var_type,
+                default_value: default_value,
+                directives: directives,
+                filename: @filename,
+                source_string: @graphql_str
+              )
             end
             expect_token(:RPAREN)
             defs
@@ -722,6 +733,9 @@ module GraphQL
       # Only use when we care about the expected token's value
       def expect_token_value(tok)
         token_value = @lexer.token_value
+        if @dedup_identifiers
+          token_value = -token_value
+        end
         expect_token(tok)
         token_value
       end
@@ -729,12 +743,12 @@ module GraphQL
       # token_value works for when the scanner matched something
       # which is usually fine and it's good for it to be fast at that.
       def debug_token_value
-        if token_name && Lexer::Punctuation.const_defined?(token_name)
-          Lexer::Punctuation.const_get(token_name)
-        elsif token_name == :ELLIPSIS
-          "..."
-        else
-          @lexer.token_value
+        @lexer.debug_token_value(token_name)
+      end
+      class SchemaParser < Parser
+        def initialize(*args, **kwargs)
+          super
+          @dedup_identifiers = true
         end
       end
     end

data/lib/graphql/language/printer.rb

@@ -208,6 +208,10 @@ module GraphQL
           print_string(" = ")
           print_node(variable_definition.default_value)
         end
+        variable_definition.directives.each do |dir|
+          print_string(" ")
+          print_directive(dir)
+        end
       end
 
       def print_variable_identifier(variable_identifier)

data/lib/graphql/language.rb

@@ -12,6 +12,7 @@ require "graphql/language/static_visitor"
 require "graphql/language/token"
 require "graphql/language/visitor"
 require "graphql/language/definition_slice"
+require "strscan"
 
 module GraphQL
   module Language
@@ -32,6 +33,65 @@ module GraphQL
       else
         JSON.generate(value, quirks_mode: true)
       end
+    rescue JSON::GeneratorError
+      if Float::INFINITY == value
+        "Infinity"
+      else
+        raise
+      end
+    end
+
+    # Returns a new string if any single-quoted newlines were escaped.
+    # Otherwise, returns `query_str` unchanged.
+    # @return [String]
+    def self.escape_single_quoted_newlines(query_str)
+      scanner = StringScanner.new(query_str)
+      inside_single_quoted_string = false
+      new_query_str = nil
+      while !scanner.eos?
+        if (match = scanner.scan(/(?:\\"|[^"\n\r]|""")+/m)) && new_query_str
+          new_query_str << match
+        elsif scanner.scan('"')
+          new_query_str && (new_query_str << '"')
+          inside_single_quoted_string = !inside_single_quoted_string
+        elsif scanner.scan("\n")
+          if inside_single_quoted_string
+            new_query_str ||= query_str[0, scanner.pos - 1]
+            new_query_str << '\\n'
+          else
+            new_query_str && (new_query_str << "\n")
+          end
+        elsif scanner.scan("\r")
+          if inside_single_quoted_string
+            new_query_str ||= query_str[0, scanner.pos - 1]
+            new_query_str << '\\r'
+          else
+            new_query_str && (new_query_str << "\r")
+          end
+        elsif scanner.eos?
+          break
+        else
+          raise ArgumentError, "Unmatchable string scanner segment: #{scanner.rest.inspect}"
+        end
+      end
+      new_query_str || query_str
+    end
+
+    INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP = %r{
+      (
+        ((?<num>#{Lexer::INT_REGEXP}(#{Lexer::FLOAT_EXP_REGEXP})?)(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP}#{Lexer::FLOAT_EXP_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+      )}x
+
+    def self.add_space_between_numbers_and_names(query_str)
+      if query_str.match?(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP)
+        query_str.gsub(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP, "\\k<num> \\k<name>:")
+      else
+        query_str
+      end
     end
   end
 end

data/lib/graphql/pagination/array_connection.rb

@@ -35,10 +35,10 @@ module GraphQL
       def load_nodes
         @nodes ||= begin
           sliced_nodes = if before && after
-            end_idx = index_from_cursor(before)-1
+            end_idx = index_from_cursor(before) - 2
             end_idx < 0 ? [] : items[index_from_cursor(after)..end_idx] || []
           elsif before
-            end_idx = index_from_cursor(before)-2
+            end_idx = index_from_cursor(before) - 2
             end_idx < 0 ? [] : items[0..end_idx] || []
           elsif after
             items[index_from_cursor(after)..-1] || []
@@ -56,12 +56,12 @@ module GraphQL
             false
           end
 
-          @has_next_page = if first
-            # There are more items after these items
-            sliced_nodes.count > first
-          elsif before
+          @has_next_page = if before
             # The original array is longer than the `before` index
             index_from_cursor(before) < items.length + 1
+          elsif first
+            # There are more items after these items
+            sliced_nodes.count > first
           else
             false
           end

data/lib/graphql/query/context.rb

@@ -6,36 +6,6 @@ module GraphQL
     # Expose some query-specific info to field resolve functions.
     # It delegates `[]` to the hash that's passed to `GraphQL::Query#initialize`.
     class Context
-      module SharedMethods
-        # Return this value to tell the runtime
-        # to exclude this field from the response altogether
-        def skip
-          GraphQL::Execution::SKIP
-        end
-
-        # Add error at query-level.
-        # @param error [GraphQL::ExecutionError] an execution error
-        # @return [void]
-        def add_error(error)
-          if !error.is_a?(ExecutionError)
-            raise TypeError, "expected error to be a ExecutionError, but was #{error.class}"
-          end
-          errors << error
-          nil
-        end
-
-        # @example Print the GraphQL backtrace during field resolution
-        #   puts ctx.backtrace
-        #
-        # @return [GraphQL::Backtrace] The backtrace for this point in query execution
-        def backtrace
-          GraphQL::Backtrace.new(self)
-        end
-
-        def execution_errors
-          @execution_errors ||= ExecutionErrors.new(self)
-        end
-      end
 
       class ExecutionErrors
         def initialize(ctx)
@@ -59,7 +29,6 @@ module GraphQL
         alias :push :add
       end
 
-      include SharedMethods
       extend Forwardable
 
       # @return [Array<GraphQL::ExecutionError>] errors returned during execution
@@ -77,11 +46,10 @@ module GraphQL
       # Make a new context which delegates key lookup to `values`
       # @param query [GraphQL::Query] the query who owns this context
       # @param values [Hash] A hash of arbitrary values which will be accessible at query-time
-      def initialize(query:, schema: query.schema, values:, object:)
+      def initialize(query:, schema: query.schema, values:)
         @query = query
         @schema = schema
         @provided_values = values || {}
-        @object = object
         # Namespaced storage, where user-provided values are in `nil` namespace:
         @storage = Hash.new { |h, k| h[k] = {} }
         @storage[nil] = @provided_values
@@ -140,6 +108,35 @@ module GraphQL
         end
       end
 
+      # Return this value to tell the runtime
+      # to exclude this field from the response altogether
+      def skip
+        GraphQL::Execution::SKIP
+      end
+
+      # Add error at query-level.
+      # @param error [GraphQL::ExecutionError] an execution error
+      # @return [void]
+      def add_error(error)
+        if !error.is_a?(ExecutionError)
+          raise TypeError, "expected error to be a ExecutionError, but was #{error.class}"
+        end
+        errors << error
+        nil
+      end
+
+      # @example Print the GraphQL backtrace during field resolution
+      #   puts ctx.backtrace
+      #
+      # @return [GraphQL::Backtrace] The backtrace for this point in query execution
+      def backtrace
+        GraphQL::Backtrace.new(self)
+      end
+
+      def execution_errors
+        @execution_errors ||= ExecutionErrors.new(self)
+      end
+
       def current_path
         current_runtime_state = Thread.current[:__graphql_runtime_info]
         query_runtime_state = current_runtime_state && current_runtime_state[@query]

data/lib/graphql/query/validation_pipeline.rb

@@ -14,7 +14,7 @@ module GraphQL
     #
     # @api private
     class ValidationPipeline
-      attr_reader :max_depth, :max_complexity
+      attr_reader :max_depth, :max_complexity, :validate_timeout_remaining
 
       def initialize(query:, parse_error:, operation_name_error:, max_depth:, max_complexity:)
         @validation_errors = []
@@ -71,7 +71,7 @@ module GraphQL
           validator = @query.static_validator || @schema.static_validator
           validation_result = validator.validate(@query, validate: @query.validate, timeout: @schema.validate_timeout, max_errors: @schema.validate_max_errors)
           @validation_errors.concat(validation_result[:errors])
-
+          @validate_timeout_remaining = validation_result[:remaining_timeout]
           if @validation_errors.empty?
             @validation_errors.concat(@query.variables.errors)
           end

data/lib/graphql/query/variables.rb

@@ -26,7 +26,7 @@ module GraphQL
           # - Then, fall back to the default value from the query string
           # If it's still nil, raise an error if it's required.
           variable_type = schema.type_from_ast(ast_variable.type, context: ctx)
-          if variable_type.nil?
+          if variable_type.nil? || !variable_type.unwrap.kind.input?
             # Pass -- it will get handled by a validator
           else
             variable_name = ast_variable.name
@@ -80,12 +80,12 @@ module GraphQL
         else
           val
         end
-      end    
+      end
 
       def add_max_errors_reached_message
         message = "Too many errors processing variables, max validation error limit reached. Execution aborted"
         validation_result = GraphQL::Query::InputValidationResult.from_problem(message)
-        errors << GraphQL::Query::VariableValidationError.new(nil, nil, nil, validation_result, msg: message) 
+        errors << GraphQL::Query::VariableValidationError.new(nil, nil, nil, validation_result, msg: message)
       end
     end
   end

data/lib/graphql/query.rb

@@ -99,7 +99,7 @@ module GraphQL
       # Even if `variables: nil` is passed, use an empty hash for simpler logic
       variables ||= {}
       @schema = schema
-      @context = schema.context_class.new(query: self, object: root_value, values: context)
+      @context = schema.context_class.new(query: self, values: context)
       @warden = warden
       @subscription_topic = subscription_topic
       @root_value = root_value
@@ -317,7 +317,7 @@ module GraphQL
     end
 
     def_delegators :validation_pipeline, :validation_errors,
-                   :analyzers, :ast_analyzers, :max_depth, :max_complexity
+                   :analyzers, :ast_analyzers, :max_depth, :max_complexity, :validate_timeout_remaining
 
     attr_accessor :analysis_errors
     def valid?
@@ -395,7 +395,7 @@ module GraphQL
       parse_error = nil
       @document ||= begin
         if query_string
-          GraphQL.parse(query_string, trace: self.current_trace)
+          GraphQL.parse(query_string, trace: self.current_trace, max_tokens: @schema.max_query_string_tokens)
         end
       rescue GraphQL::ParseError => err
         parse_error = err

data/lib/graphql/schema/argument.rb

@@ -206,8 +206,8 @@ module GraphQL
       # Used by the runtime.
       # @api private
       def prepare_value(obj, value, context: nil)
-        if value.is_a?(GraphQL::Schema::InputObject)
-          value = value.prepare
+        if type.unwrap.kind.input_object?
+          value = recursively_prepare_input_object(value, type)
         end
 
         Schema::Validator.validate!(validators, obj, context, value)
@@ -290,6 +290,7 @@ module GraphQL
             # TODO code smell to access such a deeply-nested constant in a distant module
             argument_values[arg_key] = GraphQL::Execution::Interpreter::ArgumentValue.new(
               value: resolved_loaded_value,
+              original_value: resolved_coerced_value,
               definition: self,
               default_used: default_used,
             )
@@ -372,6 +373,21 @@ module GraphQL
 
       private
 
+      def recursively_prepare_input_object(value, type)
+        if type.non_null?
+          type = type.of_type
+        end
+
+        if type.list? && !value.nil?
+          inner_type = type.of_type
+          value.map { |v| recursively_prepare_input_object(v, inner_type) }
+        elsif value.is_a?(GraphQL::Schema::InputObject)
+          value.prepare
+        else
+          value
+        end
+      end
+
       def validate_input_type(input_type)
         if input_type.is_a?(String) || input_type.is_a?(GraphQL::Schema::LateBoundType)
           # Do nothing; assume this will be validated later

data/lib/graphql/schema/base_64_encoder.rb

@@ -1,18 +1,16 @@
 # frozen_string_literal: true
-
-require 'graphql/schema/base_64_bp'
-
+require "base64"
 module GraphQL
   class Schema
     # @api private
     module Base64Encoder
       def self.encode(unencoded_text, nonce: false)
-        Base64Bp.urlsafe_encode64(unencoded_text, padding: false)
+        Base64.urlsafe_encode64(unencoded_text, padding: false)
       end
 
       def self.decode(encoded_text, nonce: false)
         # urlsafe_decode64 is for forward compatibility
-        Base64Bp.urlsafe_decode64(encoded_text)
+        Base64.urlsafe_decode64(encoded_text)
       rescue ArgumentError
         raise GraphQL::ExecutionError, "Invalid input: #{encoded_text.inspect}"
       end

data/lib/graphql/schema/build_from_definition.rb

@@ -7,10 +7,16 @@ module GraphQL
       class << self
         # @see {Schema.from_definition}
         def from_definition(schema_superclass, definition_string, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse(definition_string), **kwargs)
         end
 
         def from_definition_path(schema_superclass, definition_path, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse_file(definition_path), **kwargs)
         end
 
@@ -120,10 +126,12 @@ module GraphQL
 
           builder = self
 
+          found_types = types.values
           schema_class = Class.new(schema_superclass) do
             begin
               # Add these first so that there's some chance of resolving late-bound types
-              orphan_types types.values
+              add_type_and_traverse(found_types, root: false)
+              orphan_types(found_types.select { |t| t.respond_to?(:kind) && t.kind.object? })
               query query_root_type
               mutation mutation_root_type
               subscription subscription_root_type