Merge commit from fork

[1.13] fix CVE 2025 27407

Author: rmosolgo

.rubocop.yml

@@ -1,5 +1,6 @@
 require:
   - ./cop/development/none_without_block_cop
+  - ./cop/development/no_eval_cop
   - ./cop/development/no_focus_cop
   - ./lib/graphql/rubocop/graphql/default_null_true
   - ./lib/graphql/rubocop/graphql/default_required_true
@@ -52,6 +53,10 @@ Development/NoneWithoutBlockCop:
     - "lib/**/*"
     - "spec/**/*"
 
+Development/NoEvalCop:
+  Include:
+    - "lib/**/*"
+
 Development/NoFocusCop:
   Include:
     - "spec/**/*"

benchmark/run.rb

@@ -82,7 +82,7 @@ def self.profile_large_introspection
             graphql_name("Object#{n}")
             20.times do |n2|
               field :"field#{n2}", String do
-                argument :arg, String
+                argument :input, input_obj_t
               end
             end
           end

cop/development/no_eval_cop.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+require 'rubocop'
+
+module Cop
+  module Development
+    class NoEvalCop < RuboCop::Cop::Base
+      MSG_TEMPLATE = "Don't use `%{eval_method_name}` which accepts strings and may result evaluating unexpected code. Use `%{exec_method_name}` instead, and pass a block."
+
+      def on_send(node)
+        case node.method_name
+        when :module_eval, :class_eval, :instance_eval
+          message = MSG_TEMPLATE % { eval_method_name: node.method_name, exec_method_name: node.method_name.to_s.sub("eval", "exec").to_sym }
+          add_offense node, message: message
+        end
+      end
+    end
+  end
+end

lib/graphql/language/nodes.rb

@@ -133,6 +133,8 @@ def merge!(new_options)
         end
 
         class << self
+          # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
           # Add a default `#visit_method` and `#children_method_name` using the class name
           def inherited(child_class)
             super
@@ -276,6 +278,7 @@ def initialize_node #{arguments.join(", ")}
               RUBY
             end
           end
+          # rubocop:enable Development/NoEvalCop
         end
       end
 

lib/graphql/schema/argument.rb

@@ -52,6 +52,7 @@ def from_resolver?
       def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type: nil, name: nil, loads: nil, description: nil, ast_node: nil, default_value: NO_DEFAULT, as: nil, from_resolver: false, camelize: true, prepare: nil, method_access: true, owner:, validates: nil, directives: nil, deprecation_reason: nil, replace_null_with_default: false, &definition_block)
         arg_name ||= name
         @name = -(camelize ? Member::BuildType.camelize(arg_name.to_s) : arg_name.to_s)
+        NameValidator.validate!(@name)
         @type_expr = type_expr || type
         @description = desc || description
         @null = required != true
@@ -85,11 +86,8 @@ def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type
         end
 
         if definition_block
-          if definition_block.arity == 1
-            instance_exec(self, &definition_block)
-          else
-            instance_eval(&definition_block)
-          end
+          # `self` will still be self, it will also be the first argument to the block:
+          instance_exec(self, &definition_block)
         end
       end
 

lib/graphql/schema/build_from_definition.rb

@@ -427,17 +427,18 @@ def build_fields(owner, field_definitions, type_resolver, default_resolve:)
 
             # Don't do this for interfaces
             if default_resolve
-              owner.class_eval <<-RUBY, __FILE__, __LINE__
-                # frozen_string_literal: true
-                def #{resolve_method_name}(**args)
-                  field_instance = self.class.get_field("#{field_definition.name}")
-                  context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
-                end
-              RUBY
+              define_field_resolve_method(owner, resolve_method_name, field_definition.name)
             end
           end
         end
 
+        def define_field_resolve_method(owner, method_name, field_name)
+          owner.define_method(method_name) { |**args|
+            field_instance = self.class.get_field(field_name)
+            context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
+          }
+        end
+
         def build_resolve_type(lookup_hash, directives, missing_type_handler)
           resolve_type_proc = nil
           resolve_type_proc = ->(ast_node) {

lib/graphql/schema/enum_value.rb

@@ -55,7 +55,7 @@ def initialize(graphql_name, desc = nil, owner:, ast_node: nil, directives: nil,
         end
 
         if block_given?
-          instance_eval(&block)
+          instance_exec(self, &block)
         end
       end
 

lib/graphql/schema/field.rb

@@ -232,6 +232,7 @@ def initialize(type: nil, name: nil, owner: nil, null: true, field: nil, functio
 
         @underscored_name = -Member::BuildType.underscore(name_s)
         @name = -(camelize ? Member::BuildType.camelize(name_s) : name_s)
+        NameValidator.validate!(@name)
         @description = description
         if field.is_a?(GraphQL::Schema::Field)
           raise ArgumentError, "Instead of passing a field as `field:`, use `add_field(field)` to add an already-defined field."

lib/graphql/schema/input_object.rb

@@ -138,12 +138,7 @@ class << self
         def argument(*args, **kwargs, &block)
           argument_defn = super(*args, **kwargs, &block)
           # Add a method access
-          method_name = argument_defn.keyword
-          class_eval <<-RUBY, __FILE__, __LINE__
-            def #{method_name}
-              self[#{method_name.inspect}]
-            end
-          RUBY
+          define_accessor_method(argument_defn.keyword)
           argument_defn
         end
 
@@ -253,6 +248,13 @@ def coerce_result(value, ctx)
 
           result
         end
+
+        private
+
+        def define_accessor_method(method_name)
+          define_method(method_name) { self[method_name] }
+          alias_method(method_name, method_name)
+        end
       end
 
       private

lib/graphql/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module GraphQL
-  VERSION = "1.13.23"
+  VERSION = "1.13.24"
 end