graphql 2.3.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 881a55a1017c82563e75cf9898d44be453c1329c849f60b9538fdbd0f0d4b630
-  data.tar.gz: e99efcbffe7cab713e9d5fa7156c1f3bb56752b10ae35f9c5b23e705a27f90da
+  metadata.gz: 566d6d5c49b331b3f38e2f4d338c635bae02a86b14a004ff55f1eccccb973181
+  data.tar.gz: 0a8a048f8644e933252ca30459386e2049ac8c3093731709d344bf898f884731
 SHA512:
-  metadata.gz: c82107ac040dd40a8bfcf09f0abf23d5a4a40ef8ed68b3e6ff0918e3b4ff02c6ae7f9637fed578bbd78032bde8d61622b65ab8efeb3bd4e2538fc809e626a92a
-  data.tar.gz: e0eddc7d0562f9637ecb1707d690b7d4579373c6d8f030e09565a150a60c4272ebb4e5f06cefc5165f6babfde01e5fb8930b4f678d6c1e146df56999634cbc1f
+  metadata.gz: 12136553e963ed98012887215d1f21efd31c2a3bacd40ada6836ca3884680cb4ac6a8c7a1fabaa7fc8699c0ba6db9f20418ae068a74694daef8db1d13e506933
+  data.tar.gz: 1faab9e89cf122660fb277df551ba026685cefeaa2fba9d83b590a5a18d4c4dc1202712ecf404c2998eb12c27a1219bd548944ef5f65daaad79371163ca66b43

data/lib/generators/graphql/templates/schema.erb

@@ -26,6 +26,9 @@ class <%= schema_name %> < GraphQL::Schema
     raise(GraphQL::RequiredImplementationMissingError)
   end
 
+  # Limit the size of incoming queries:
+  max_query_string_tokens(5000)
+
   # Stop validating when it encounters this many errors:
   validate_max_errors(100)
 end

data/lib/graphql/analysis/ast/field_usage.rb

@@ -41,7 +41,9 @@ module GraphQL
               @used_deprecated_arguments << argument.definition.path
             end
 
-            next if argument.value.nil?
+            arg_val = argument.value
+
+            next if arg_val.nil?
 
             argument_type = argument.definition.type
             if argument_type.non_null?
@@ -49,18 +51,18 @@ module GraphQL
             end
 
             if argument_type.kind.input_object?
-              extract_deprecated_arguments(argument.value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
+              extract_deprecated_arguments(argument.original_value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
             elsif argument_type.kind.enum?
-              extract_deprecated_enum_value(argument_type, argument.value)
+              extract_deprecated_enum_value(argument_type, arg_val)
             elsif argument_type.list?
               inner_type = argument_type.unwrap
               case inner_type.kind
               when TypeKinds::INPUT_OBJECT
-                argument.value.each do |value|
+                argument.original_value.each do |value|
                   extract_deprecated_arguments(value.arguments.argument_values) # rubocop:disable Development/ContextIsPassedCop -- runtime args instance
                 end
               when TypeKinds::ENUM
-                argument.value.each do |value|
+                arg_val.each do |value|
                   extract_deprecated_enum_value(inner_type, value)
                 end
               else

data/lib/graphql/execution/interpreter/argument_value.rb

@@ -6,15 +6,19 @@ module GraphQL
       # A container for metadata regarding arguments present in a GraphQL query.
       # @see Interpreter::Arguments#argument_values for a hash of these objects.
       class ArgumentValue
-        def initialize(definition:, value:, default_used:)
+        def initialize(definition:, value:, original_value:, default_used:)
           @definition = definition
           @value = value
+          @original_value = original_value
           @default_used = default_used
         end
 
         # @return [Object] The Ruby-ready value for this Argument
         attr_reader :value
 
+        # @return [Object] The value of this argument _before_ `prepare` is applied.
+        attr_reader :original_value
+
         # @return [GraphQL::Schema::Argument] The definition instance for this argument
         attr_reader :definition
 

data/lib/graphql/language/lexer.rb

@@ -3,7 +3,7 @@ module GraphQL
   module Language
 
     class Lexer
-      def initialize(graphql_str, filename: nil)
+      def initialize(graphql_str, filename: nil, max_tokens: nil)
         if !(graphql_str.encoding == Encoding::UTF_8 || graphql_str.ascii_only?)
           graphql_str = graphql_str.dup.force_encoding(Encoding::UTF_8)
         end
@@ -11,6 +11,8 @@ module GraphQL
         @filename = filename
         @scanner = StringScanner.new(graphql_str)
         @pos = nil
+        @max_tokens = max_tokens || Float::INFINITY
+        @tokens_count = 0
       end
 
       def eos?
@@ -22,6 +24,10 @@ module GraphQL
       def advance
         @scanner.skip(IGNORE_REGEXP)
         return false if @scanner.eos?
+        @tokens_count += 1
+        if @tokens_count > @max_tokens
+          raise_parse_error("This query is too large to execute.")
+        end
         @pos = @scanner.pos
         next_byte = @string.getbyte(@pos)
         next_byte_is_for = FIRST_BYTES[next_byte]
@@ -52,6 +58,17 @@ module GraphQL
           :IDENTIFIER
         when ByteFor::NUMBER
           @scanner.skip(NUMERIC_REGEXP)
+
+          if GraphQL.reject_numbers_followed_by_names
+            new_pos = @scanner.pos
+            peek_byte = @string.getbyte(new_pos)
+            next_first_byte = FIRST_BYTES[peek_byte]
+            if next_first_byte == ByteFor::NAME || next_first_byte == ByteFor::IDENTIFIER
+              number_part = token_value
+              name_part = @scanner.scan(IDENTIFIER_REGEXP)
+              raise_parse_error("Name after number is not allowed (in `#{number_part}#{name_part}`)")
+            end
+          end
           # Check for a matched decimal:
           @scanner[1] ? :FLOAT : :INT
         when ByteFor::ELLIPSIS
@@ -156,6 +173,7 @@ module GraphQL
       INT_REGEXP =        /-?(?:[0]|[1-9][0-9]*)/
       FLOAT_DECIMAL_REGEXP = /[.][0-9]+/
       FLOAT_EXP_REGEXP =     /[eE][+-]?[0-9]+/
+      # TODO: FLOAT_EXP_REGEXP should not be allowed to follow INT_REGEXP, integers are not allowed to have exponent parts.
       NUMERIC_REGEXP =  /#{INT_REGEXP}(#{FLOAT_DECIMAL_REGEXP}#{FLOAT_EXP_REGEXP}|#{FLOAT_DECIMAL_REGEXP}|#{FLOAT_EXP_REGEXP})?/
 
       KEYWORDS = [
@@ -250,7 +268,6 @@ module GraphQL
       FOUR_DIGIT_UNICODE = /#{UNICODE_DIGIT}{4}/
       N_DIGIT_UNICODE = %r{#{Punctuation::LCURLY}#{UNICODE_DIGIT}{4,}#{Punctuation::RCURLY}}x
       UNICODE_ESCAPE = %r{\\u(?:#{FOUR_DIGIT_UNICODE}|#{N_DIGIT_UNICODE})}
-      # # https://graphql.github.io/graphql-spec/June2018/#sec-String-Value
       STRING_ESCAPE = %r{[\\][\\/bfnrt]}
       BLOCK_QUOTE =   '"""'
       ESCAPED_QUOTE = /\\"/;

data/lib/graphql/language/parser.rb

@@ -12,8 +12,8 @@ module GraphQL
       class << self
         attr_accessor :cache
 
-        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace)
-          self.new(graphql_str, filename: filename, trace: trace).parse
+        def parse(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
+          self.new(graphql_str, filename: filename, trace: trace, max_tokens: max_tokens).parse
         end
 
         def parse_file(filename, trace: Tracing::NullTrace)
@@ -27,14 +27,15 @@ module GraphQL
         end
       end
 
-      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace)
+      def initialize(graphql_str, filename: nil, trace: Tracing::NullTrace, max_tokens: nil)
         if graphql_str.nil?
           raise GraphQL::ParseError.new("No query string was present", nil, nil, nil)
         end
-        @lexer = Lexer.new(graphql_str, filename: filename)
+        @lexer = Lexer.new(graphql_str, filename: filename, max_tokens: max_tokens)
         @graphql_str = graphql_str
         @filename = filename
         @trace = trace
+        @dedup_identifiers = false
       end
 
       def parse
@@ -732,6 +733,9 @@ module GraphQL
       # Only use when we care about the expected token's value
       def expect_token_value(tok)
         token_value = @lexer.token_value
+        if @dedup_identifiers
+          token_value = -token_value
+        end
         expect_token(tok)
         token_value
       end
@@ -741,6 +745,12 @@ module GraphQL
       def debug_token_value
         @lexer.debug_token_value(token_name)
       end
+      class SchemaParser < Parser
+        def initialize(*args, **kwargs)
+          super
+          @dedup_identifiers = true
+        end
+      end
     end
   end
 end

data/lib/graphql/language.rb

@@ -33,6 +33,12 @@ module GraphQL
       else
         JSON.generate(value, quirks_mode: true)
       end
+    rescue JSON::GeneratorError
+      if Float::INFINITY == value
+        "Infinity"
+      else
+        raise
+      end
     end
 
     # Returns a new string if any single-quoted newlines were escaped.
@@ -70,5 +76,22 @@ module GraphQL
       end
       new_query_str || query_str
     end
+
+    INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP = %r{
+      (
+        ((?<num>#{Lexer::INT_REGEXP}(#{Lexer::FLOAT_EXP_REGEXP})?)(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP}#{Lexer::FLOAT_EXP_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+        |
+        ((?<num>#{Lexer::INT_REGEXP}#{Lexer::FLOAT_DECIMAL_REGEXP})(?<name>#{Lexer::IDENTIFIER_REGEXP})#{Lexer::IGNORE_REGEXP}:)
+      )}x
+
+    def self.add_space_between_numbers_and_names(query_str)
+      if query_str.match?(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP)
+        query_str.gsub(INVALID_NUMBER_FOLLOWED_BY_NAME_REGEXP, "\\k<num> \\k<name>:")
+      else
+        query_str
+      end
+    end
   end
 end

data/lib/graphql/query.rb

@@ -395,7 +395,7 @@ module GraphQL
       parse_error = nil
       @document ||= begin
         if query_string
-          GraphQL.parse(query_string, trace: self.current_trace)
+          GraphQL.parse(query_string, trace: self.current_trace, max_tokens: @schema.max_query_string_tokens)
         end
       rescue GraphQL::ParseError => err
         parse_error = err

data/lib/graphql/schema/argument.rb

@@ -290,6 +290,7 @@ module GraphQL
             # TODO code smell to access such a deeply-nested constant in a distant module
             argument_values[arg_key] = GraphQL::Execution::Interpreter::ArgumentValue.new(
               value: resolved_loaded_value,
+              original_value: resolved_coerced_value,
               definition: self,
               default_used: default_used,
             )

data/lib/graphql/schema/build_from_definition.rb

@@ -7,10 +7,16 @@ module GraphQL
       class << self
         # @see {Schema.from_definition}
         def from_definition(schema_superclass, definition_string, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse(definition_string), **kwargs)
         end
 
         def from_definition_path(schema_superclass, definition_path, parser: GraphQL.default_parser, **kwargs)
+          if defined?(parser::SchemaParser)
+            parser = parser::SchemaParser
+          end
           from_document(schema_superclass, parser.parse_file(definition_path), **kwargs)
         end
 

data/lib/graphql/schema/input_object.rb

@@ -215,8 +215,7 @@ module GraphQL
             if resolved_arguments.is_a?(GraphQL::Error)
               raise resolved_arguments
             else
-              input_obj_instance = self.new(resolved_arguments, ruby_kwargs: resolved_arguments.keyword_arguments, context: ctx, defaults_used: nil)
-              input_obj_instance.prepare
+              self.new(resolved_arguments, ruby_kwargs: resolved_arguments.keyword_arguments, context: ctx, defaults_used: nil)
             end
           end
         end

data/lib/graphql/schema/mutation.rb

@@ -62,6 +62,13 @@ module GraphQL
       extend GraphQL::Schema::Member::HasFields
       extend GraphQL::Schema::Resolver::HasPayloadType
 
+      # @api private
+      def call_resolve(_args_hash)
+        # Clear any cached values from `loads` or authorization:
+        dataloader.clear_cache
+        super
+      end
+
       class << self
         def visible?(context)
           true

data/lib/graphql/schema/resolver.rb

@@ -103,11 +103,7 @@ module GraphQL
                   end
                 elsif authorized_val
                   # Finally, all the hooks have passed, so resolve it
-                  if loaded_args.any?
-                    public_send(self.class.resolve_method, **loaded_args)
-                  else
-                    public_send(self.class.resolve_method)
-                  end
+                  call_resolve(loaded_args)
                 else
                   raise GraphQL::UnauthorizedFieldError.new(context: context, object: object, type: field.owner, field: field)
                 end
@@ -117,6 +113,15 @@ module GraphQL
         end
       end
 
+      # @api private {GraphQL::Schema::Mutation} uses this to clear the dataloader cache
+      def call_resolve(args_hash)
+        if args_hash.any?
+          public_send(self.class.resolve_method, **args_hash)
+        else
+          public_send(self.class.resolve_method)
+        end
+      end
+
       # Do the work. Everything happens here.
       # @return [Object] An object corresponding to the return type
       def resolve(**args)

data/lib/graphql/schema.rb

@@ -643,6 +643,17 @@ module GraphQL
         end
       end
 
+      # A limit on the number of tokens to accept on incoming query strings.
+      # Use this to prevent parsing maliciously-large query strings.
+      # @return [nil, Integer]
+      def max_query_string_tokens(new_max_tokens = NOT_CONFIGURED)
+        if NOT_CONFIGURED.equal?(new_max_tokens)
+          defined?(@max_query_string_tokens) ? @max_query_string_tokens : find_inherited_value(:max_query_string_tokens)
+        else
+          @max_query_string_tokens = new_max_tokens
+        end
+      end
+
       def default_page_size(new_default_page_size = nil)
         if new_default_page_size
           @default_page_size = new_default_page_size

data/lib/graphql/testing/helpers.rb

@@ -39,9 +39,9 @@ module GraphQL
         end
       end
 
-      def run_graphql_field(schema, field_path, object, arguments: {}, context: {})
+      def run_graphql_field(schema, field_path, object, arguments: {}, context: {}, ast_node: nil, lookahead: nil)
         type_name, *field_names = field_path.split(".")
-        dummy_query = GraphQL::Query.new(schema, context: context)
+        dummy_query = GraphQL::Query.new(schema, "{ __typename }", context: context)
         query_context = dummy_query.context
         object_type = dummy_query.get_type(type_name) # rubocop:disable Development/ContextIsPassedCop
         if object_type
@@ -57,6 +57,28 @@ module GraphQL
               dummy_query.context.dataloader.run_isolated {
                 field_args = visible_field.coerce_arguments(graphql_result, arguments, query_context)
                 field_args = schema.sync_lazy(field_args)
+                if visible_field.extras.any?
+                  extra_args = {}
+                  visible_field.extras.each do |extra|
+                    extra_args[extra] = case extra
+                    when :ast_node
+                      ast_node ||= GraphQL::Language::Nodes::Field.new(name: visible_field.graphql_name)
+                    when :lookahead
+                      lookahead ||= begin
+                        ast_node ||= GraphQL::Language::Nodes::Field.new(name: visible_field.graphql_name)
+                        Execution::Lookahead.new(
+                          query: dummy_query,
+                          ast_nodes: [ast_node],
+                          field: visible_field,
+                        )
+                      end
+                    else
+                      raise ArgumentError, "This extra isn't supported in `run_graphql_field` yet: `#{extra.inspect}`. Open an issue on GitHub to request it: https://github.com/rmosolgo/graphql-ruby/issues/new"
+                    end
+                  end
+
+                  field_args = field_args.merge_extras(extra_args)
+                end
                 graphql_result = visible_field.resolve(graphql_result, field_args.keyword_arguments, query_context)
                 graphql_result = schema.sync_lazy(graphql_result)
               }

data/lib/graphql/tracing/prometheus_trace.rb

@@ -24,8 +24,8 @@ module GraphQL
         'execute_query_lazy' => "graphql.execute",
       }.each do |trace_method, platform_key|
         module_eval <<-RUBY, __FILE__, __LINE__
-          def #{trace_method}(**data, &block)
-            instrument_execution("#{platform_key}", "#{trace_method}", &block)
+          def #{trace_method}(**data)
+            instrument_execution("#{platform_key}", "#{trace_method}") { super }
           end
         RUBY
       end

data/lib/graphql/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module GraphQL
-  VERSION = "2.3.0"
+  VERSION = "2.3.1"
 end

data/lib/graphql.rb

@@ -42,8 +42,8 @@ This is probably a bug in GraphQL-Ruby, please report this error on GitHub: http
   # Turn a query string or schema definition into an AST
   # @param graphql_string [String] a GraphQL query string or schema definition
   # @return [GraphQL::Language::Nodes::Document]
-  def self.parse(graphql_string, trace: GraphQL::Tracing::NullTrace, filename: nil)
-    default_parser.parse(graphql_string, trace: trace, filename: filename)
+  def self.parse(graphql_string, trace: GraphQL::Tracing::NullTrace, filename: nil, max_tokens: nil)
+    default_parser.parse(graphql_string, trace: trace, filename: filename, max_tokens: max_tokens)
   end
 
   # Read the contents of `filename` and parse them as GraphQL
@@ -74,6 +74,13 @@ This is probably a bug in GraphQL-Ruby, please report this error on GitHub: http
     EMPTY_HASH = {}.freeze
     EMPTY_ARRAY = [].freeze
   end
+
+  class << self
+    # If true, the parser should raise when an integer or float is followed immediately by an identifier (instead of a space or punctuation)
+    attr_accessor :reject_numbers_followed_by_names
+  end
+
+  self.reject_numbers_followed_by_names = false
 end
 
 # Order matters for these:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: graphql
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Robert Mosolgo
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-20 00:00:00.000000000 Z
+date: 2024-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64