Merge commit from fork

[2.1] fix CVE 2025 27407

Author: rmosolgo

.rubocop.yml

@@ -1,5 +1,6 @@
 require:
   - ./cop/development/none_without_block_cop
+  - ./cop/development/no_eval_cop
   - ./cop/development/no_focus_cop
   - ./lib/graphql/rubocop/graphql/default_null_true
   - ./lib/graphql/rubocop/graphql/default_required_true
@@ -51,6 +52,10 @@ Development/NoneWithoutBlockCop:
     - "lib/**/*"
     - "spec/**/*"
 
+Development/NoEvalCop:
+  Include:
+    - "lib/**/*"
+
 Development/NoFocusCop:
   Include:
     - "spec/**/*"

benchmark/run.rb

@@ -110,12 +110,16 @@ def self.build_large_schema
         end
 
         obj_ts = 100.times.map do |n|
+          input_obj_t = Class.new(GraphQL::Schema::InputObject) do
+            graphql_name("Input#{n}")
+            argument :arg, String
+          end
           obj_t = Class.new(GraphQL::Schema::Object) do
             graphql_name("Object#{n}")
             implements(*int_ts)
             20.times do |n2|
               field :"field#{n2}", String do
-                argument :arg, String
+                argument :input, input_obj_t
               end
 
             end
@@ -152,8 +156,9 @@ def self.profile_boot
     end
     StackProf::Report.new(result).print_text
 
+    retained_schema = nil
     report = MemoryProfiler.report do
-      build_large_schema
+      retained_schema = build_large_schema
     end
 
     report.pretty_print

cop/development/no_eval_cop.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+require 'rubocop'
+
+module Cop
+  module Development
+    class NoEvalCop < RuboCop::Cop::Base
+      MSG_TEMPLATE = "Don't use `%{eval_method_name}` which accepts strings and may result evaluating unexpected code. Use `%{exec_method_name}` instead, and pass a block."
+
+      def on_send(node)
+        case node.method_name
+        when :module_eval, :class_eval, :instance_eval
+          message = MSG_TEMPLATE % { eval_method_name: node.method_name, exec_method_name: node.method_name.to_s.sub("eval", "exec").to_sym }
+          add_offense node, message: message
+        end
+      end
+    end
+  end
+end

lib/graphql/language/nodes.rb

@@ -138,6 +138,8 @@ def merge!(new_options)
         end
 
         class << self
+          # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
           # Add a default `#visit_method` and `#children_method_name` using the class name
           def inherited(child_class)
             super
@@ -296,6 +298,7 @@ def self.from_a(filename, line, col, #{(scalar_method_names + @children_methods.
               RUBY
             end
           end
+          # rubocop:enable Development/NoEvalCop
         end
       end
 

lib/graphql/language/static_visitor.rb

@@ -22,39 +22,6 @@ def visit
         end
       end
 
-      # We don't use `alias` here because it breaks `super`
-      def self.make_visit_methods(ast_node_class)
-        node_method = ast_node_class.visit_method
-        children_of_type = ast_node_class.children_of_type
-        child_visit_method = :"#{node_method}_children"
-
-        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
-          # The default implementation for visiting an AST node.
-          # It doesn't _do_ anything, but it continues to visiting the node's children.
-          # To customize this hook, override one of its make_visit_methods (or the base method?)
-          # in your subclasses.
-          #
-          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
-          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
-          # @return [void]
-          def #{node_method}(node, parent)
-            #{
-              if method_defined?(child_visit_method)
-                "#{child_visit_method}(node)"
-              elsif children_of_type
-                children_of_type.map do |child_accessor, child_class|
-                  "node.#{child_accessor}.each do |child_node|
-                    #{child_class.visit_method}(child_node, node)
-                  end"
-                end.join("\n")
-              else
-                ""
-              end
-            }
-          end
-        RUBY
-      end
-
       def on_document_children(document_node)
         document_node.children.each do |child_node|
           visit_method = child_node.visit_method
@@ -123,6 +90,41 @@ def on_argument_children(new_node)
         end
       end
 
+      # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
+      # We don't use `alias` here because it breaks `super`
+      def self.make_visit_methods(ast_node_class)
+        node_method = ast_node_class.visit_method
+        children_of_type = ast_node_class.children_of_type
+        child_visit_method = :"#{node_method}_children"
+
+        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
+          # The default implementation for visiting an AST node.
+          # It doesn't _do_ anything, but it continues to visiting the node's children.
+          # To customize this hook, override one of its make_visit_methods (or the base method?)
+          # in your subclasses.
+          #
+          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
+          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
+          # @return [void]
+          def #{node_method}(node, parent)
+            #{
+              if method_defined?(child_visit_method)
+                "#{child_visit_method}(node)"
+              elsif children_of_type
+                children_of_type.map do |child_accessor, child_class|
+                  "node.#{child_accessor}.each do |child_node|
+                    #{child_class.visit_method}(child_node, node)
+                  end"
+                end.join("\n")
+              else
+                ""
+              end
+            }
+          end
+        RUBY
+      end
+
       [
         Language::Nodes::Argument,
         Language::Nodes::Directive,
@@ -162,6 +164,8 @@ def on_argument_children(new_node)
       ].each do |ast_node_class|
         make_visit_methods(ast_node_class)
       end
+
+      # rubocop:disable Development/NoEvalCop
     end
   end
 end

lib/graphql/language/visitor.rb

@@ -61,61 +61,6 @@ def visit
         end
       end
 
-      # We don't use `alias` here because it breaks `super`
-      def self.make_visit_methods(ast_node_class)
-        node_method = ast_node_class.visit_method
-        children_of_type = ast_node_class.children_of_type
-        child_visit_method = :"#{node_method}_children"
-
-        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
-          # The default implementation for visiting an AST node.
-          # It doesn't _do_ anything, but it continues to visiting the node's children.
-          # To customize this hook, override one of its make_visit_methods (or the base method?)
-          # in your subclasses.
-          #
-          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
-          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
-          # @return [Array, nil] If there were modifications, it returns an array of new nodes, otherwise, it returns `nil`.
-          def #{node_method}(node, parent)
-            if node.equal?(DELETE_NODE)
-              # This might be passed to `super(DELETE_NODE, ...)`
-              # by a user hook, don't want to keep visiting in that case.
-              [node, parent]
-            else
-              new_node = node
-              #{
-                if method_defined?(child_visit_method)
-                  "new_node = #{child_visit_method}(new_node)"
-                elsif children_of_type
-                  children_of_type.map do |child_accessor, child_class|
-                    "node.#{child_accessor}.each do |child_node|
-                      new_child_and_node = #{child_class.visit_method}_with_modifications(child_node, new_node)
-                      # Reassign `node` in case the child hook makes a modification
-                      if new_child_and_node.is_a?(Array)
-                        new_node = new_child_and_node[1]
-                      end
-                    end"
-                  end.join("\n")
-                else
-                  ""
-                end
-              }
-
-              if new_node.equal?(node)
-                [node, parent]
-              else
-                [new_node, parent]
-              end
-            end
-          end
-
-          def #{node_method}_with_modifications(node, parent)
-            new_node_and_new_parent = #{node_method}(node, parent)
-            apply_modifications(node, parent, new_node_and_new_parent)
-          end
-        RUBY
-      end
-
       def on_document_children(document_node)
         new_node = document_node
         document_node.children.each do |child_node|
@@ -216,6 +161,63 @@ def on_argument_children(new_node)
         new_node
       end
 
+      # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
+      # We don't use `alias` here because it breaks `super`
+      def self.make_visit_methods(ast_node_class)
+        node_method = ast_node_class.visit_method
+        children_of_type = ast_node_class.children_of_type
+        child_visit_method = :"#{node_method}_children"
+
+        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
+          # The default implementation for visiting an AST node.
+          # It doesn't _do_ anything, but it continues to visiting the node's children.
+          # To customize this hook, override one of its make_visit_methods (or the base method?)
+          # in your subclasses.
+          #
+          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
+          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
+          # @return [Array, nil] If there were modifications, it returns an array of new nodes, otherwise, it returns `nil`.
+          def #{node_method}(node, parent)
+            if node.equal?(DELETE_NODE)
+              # This might be passed to `super(DELETE_NODE, ...)`
+              # by a user hook, don't want to keep visiting in that case.
+              [node, parent]
+            else
+              new_node = node
+              #{
+                if method_defined?(child_visit_method)
+                  "new_node = #{child_visit_method}(new_node)"
+                elsif children_of_type
+                  children_of_type.map do |child_accessor, child_class|
+                    "node.#{child_accessor}.each do |child_node|
+                      new_child_and_node = #{child_class.visit_method}_with_modifications(child_node, new_node)
+                      # Reassign `node` in case the child hook makes a modification
+                      if new_child_and_node.is_a?(Array)
+                        new_node = new_child_and_node[1]
+                      end
+                    end"
+                  end.join("\n")
+                else
+                  ""
+                end
+              }
+
+              if new_node.equal?(node)
+                [node, parent]
+              else
+                [new_node, parent]
+              end
+            end
+          end
+
+          def #{node_method}_with_modifications(node, parent)
+            new_node_and_new_parent = #{node_method}(node, parent)
+            apply_modifications(node, parent, new_node_and_new_parent)
+          end
+        RUBY
+      end
+
       [
         Language::Nodes::Argument,
         Language::Nodes::Directive,
@@ -256,6 +258,8 @@ def on_argument_children(new_node)
         make_visit_methods(ast_node_class)
       end
 
+      # rubocop:enable Development/NoEvalCop
+
       private
 
       def apply_modifications(node, parent, new_node_and_new_parent)

lib/graphql/schema/argument.rb

@@ -53,6 +53,7 @@ def from_resolver?
       def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type: nil, name: nil, loads: nil, description: nil, ast_node: nil, default_value: NOT_CONFIGURED, as: nil, from_resolver: false, camelize: true, prepare: nil, owner:, validates: nil, directives: nil, deprecation_reason: nil, replace_null_with_default: false, &definition_block)
         arg_name ||= name
         @name = -(camelize ? Member::BuildType.camelize(arg_name.to_s) : arg_name.to_s)
+        NameValidator.validate!(@name)
         @type_expr = type_expr || type
         @description = desc || description
         @null = required != true
@@ -88,11 +89,8 @@ def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type
         end
 
         if definition_block
-          if definition_block.arity == 1
-            instance_exec(self, &definition_block)
-          else
-            instance_eval(&definition_block)
-          end
+          # `self` will still be self, it will also be the first argument to the block:
+          instance_exec(self, &definition_block)
         end
       end
 

lib/graphql/schema/build_from_definition.rb

@@ -451,17 +451,18 @@ def build_fields(owner, field_definitions, type_resolver, default_resolve:)
 
             # Don't do this for interfaces
             if default_resolve
-              owner.class_eval <<-RUBY, __FILE__, __LINE__
-                # frozen_string_literal: true
-                def #{resolve_method_name}(**args)
-                  field_instance = self.class.get_field("#{field_definition.name}")
-                  context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
-                end
-              RUBY
+              define_field_resolve_method(owner, resolve_method_name, field_definition.name)
             end
           end
         end
 
+        def define_field_resolve_method(owner, method_name, field_name)
+          owner.define_method(method_name) { |**args|
+            field_instance = self.class.get_field(field_name)
+            context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
+          }
+        end
+
         def build_resolve_type(lookup_hash, directives, missing_type_handler)
           resolve_type_proc = nil
           resolve_type_proc = ->(ast_node) {

lib/graphql/schema/directive.rb

@@ -99,7 +99,7 @@ def repeatable(new_value)
 
         def inherited(subclass)
           super
-          subclass.class_eval do
+          subclass.class_exec do
             @default_graphql_name ||= nil
           end
         end

lib/graphql/schema/enum_value.rb

@@ -47,7 +47,7 @@ def initialize(graphql_name, desc = nil, owner:, ast_node: nil, directives: nil,
         end
 
         if block_given?
-          instance_eval(&block)
+          instance_exec(self, &block)
         end
       end
 

lib/graphql/schema/field.rb

@@ -233,7 +233,7 @@ def initialize(type: nil, name: nil, owner: nil, null: nil, description: NOT_CON
 
         @underscored_name = -Member::BuildType.underscore(name_s)
         @name = -(camelize ? Member::BuildType.camelize(name_s) : name_s)
-
+        NameValidator.validate!(@name)
         @description = description
         @type = @owner_type = @own_validators = @own_directives = @own_arguments = @arguments_statically_coercible = nil # these will be prepared later if necessary