Merge commit from fork

[2.0] fix CVE 2025 27407

Author: rmosolgo

.rubocop.yml

@@ -1,5 +1,6 @@
 require:
   - ./cop/development/none_without_block_cop
+  - ./cop/development/no_eval_cop
   - ./cop/development/no_focus_cop
   - ./lib/graphql/rubocop/graphql/default_null_true
   - ./lib/graphql/rubocop/graphql/default_required_true
@@ -52,6 +53,10 @@ Development/NoneWithoutBlockCop:
     - "lib/**/*"
     - "spec/**/*"
 
+Development/NoEvalCop:
+  Include:
+    - "lib/**/*"
+
 Development/NoFocusCop:
   Include:
     - "spec/**/*"

benchmark/run.rb

@@ -111,12 +111,16 @@ def self.build_large_schema
         end
 
         obj_ts = 100.times.map do |n|
+          input_obj_t = Class.new(GraphQL::Schema::InputObject) do
+            graphql_name("Input#{n}")
+            argument :arg, String
+          end
           obj_t = Class.new(GraphQL::Schema::Object) do
             graphql_name("Object#{n}")
             implements(*int_ts)
             20.times do |n2|
               field :"field#{n2}", String do
-                argument :arg, String
+                argument :input, input_obj_t
               end
 
             end
@@ -153,8 +157,9 @@ def self.profile_boot
     end
     StackProf::Report.new(result).print_text
 
+    retained_schema = nil
     report = MemoryProfiler.report do
-      build_large_schema
+      retained_schema = build_large_schema
     end
 
     report.pretty_print

cop/development/no_eval_cop.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+require 'rubocop'
+
+module Cop
+  module Development
+    class NoEvalCop < RuboCop::Cop::Base
+      MSG_TEMPLATE = "Don't use `%{eval_method_name}` which accepts strings and may result evaluating unexpected code. Use `%{exec_method_name}` instead, and pass a block."
+
+      def on_send(node)
+        case node.method_name
+        when :module_eval, :class_eval, :instance_eval
+          message = MSG_TEMPLATE % { eval_method_name: node.method_name, exec_method_name: node.method_name.to_s.sub("eval", "exec").to_sym }
+          add_offense node, message: message
+        end
+      end
+    end
+  end
+end

lib/graphql/language/nodes.rb

@@ -138,6 +138,8 @@ def merge!(new_options)
         end
 
         class << self
+          # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
           # Add a default `#visit_method` and `#children_method_name` using the class name
           def inherited(child_class)
             super
@@ -296,6 +298,7 @@ def self.from_a(filename, line, col, #{(scalar_method_names + @children_methods.
               RUBY
             end
           end
+          # rubocop:enable Development/NoEvalCop
         end
       end
 

lib/graphql/language/visitor.rb

@@ -76,67 +76,6 @@ def visit
         end
       end
 
-      # We don't use `alias` here because it breaks `super`
-      def self.make_visit_methods(ast_node_class)
-        node_method = ast_node_class.visit_method
-        children_of_type = ast_node_class.children_of_type
-        child_visit_method = :"#{node_method}_children"
-
-        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
-          # The default implementation for visiting an AST node.
-          # It doesn't _do_ anything, but it continues to visiting the node's children.
-          # To customize this hook, override one of its make_visit_methods (or the base method?)
-          # in your subclasses.
-          #
-          # For compatibility, it calls hook procs, too.
-          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
-          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
-          # @return [Array, nil] If there were modifications, it returns an array of new nodes, otherwise, it returns `nil`.
-          def #{node_method}(node, parent)
-            if node.equal?(DELETE_NODE)
-              # This might be passed to `super(DELETE_NODE, ...)`
-              # by a user hook, don't want to keep visiting in that case.
-              [node, parent]
-            else
-              # Run hooks if there are any
-              new_node = node
-              no_hooks = [email protected]?(node.class)
-              if no_hooks || begin_visit(new_node, parent)
-                #{
-                  if method_defined?(child_visit_method)
-                    "new_node = #{child_visit_method}(new_node)"
-                  elsif children_of_type
-                    children_of_type.map do |child_accessor, child_class|
-                      "node.#{child_accessor}.each do |child_node|
-                        new_child_and_node = #{child_class.visit_method}_with_modifications(child_node, new_node)
-                        # Reassign `node` in case the child hook makes a modification
-                        if new_child_and_node.is_a?(Array)
-                          new_node = new_child_and_node[1]
-                        end
-                      end"
-                    end.join("\n")
-                  else
-                    ""
-                  end
-                }
-              end
-              end_visit(new_node, parent) unless no_hooks
-
-              if new_node.equal?(node)
-                [node, parent]
-              else
-                [new_node, parent]
-              end
-            end
-          end
-
-          def #{node_method}_with_modifications(node, parent)
-            new_node_and_new_parent = #{node_method}(node, parent)
-            apply_modifications(node, parent, new_node_and_new_parent)
-          end
-        RUBY
-      end
-
       def on_document_children(document_node)
         new_node = document_node
         document_node.children.each do |child_node|
@@ -237,6 +176,68 @@ def on_argument_children(new_node)
         new_node
       end
 
+      # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
+      def self.make_visit_methods(ast_node_class)
+        node_method = ast_node_class.visit_method
+        children_of_type = ast_node_class.children_of_type
+        child_visit_method = :"#{node_method}_children"
+
+        class_eval(<<-RUBY, __FILE__, __LINE__ + 1)
+          # The default implementation for visiting an AST node.
+          # It doesn't _do_ anything, but it continues to visiting the node's children.
+          # To customize this hook, override one of its make_visit_methods (or the base method?)
+          # in your subclasses.
+          #
+          # For compatibility, it calls hook procs, too.
+          # @param node [GraphQL::Language::Nodes::AbstractNode] the node being visited
+          # @param parent [GraphQL::Language::Nodes::AbstractNode, nil] the previously-visited node, or `nil` if this is the root node.
+          # @return [Array, nil] If there were modifications, it returns an array of new nodes, otherwise, it returns `nil`.
+          def #{node_method}(node, parent)
+            if node.equal?(DELETE_NODE)
+              # This might be passed to `super(DELETE_NODE, ...)`
+              # by a user hook, don't want to keep visiting in that case.
+              [node, parent]
+            else
+              # Run hooks if there are any
+              new_node = node
+              no_hooks = [email protected]?(node.class)
+              if no_hooks || begin_visit(new_node, parent)
+                #{
+                  if method_defined?(child_visit_method)
+                    "new_node = #{child_visit_method}(new_node)"
+                  elsif children_of_type
+                    children_of_type.map do |child_accessor, child_class|
+                      "node.#{child_accessor}.each do |child_node|
+                        new_child_and_node = #{child_class.visit_method}_with_modifications(child_node, new_node)
+                        # Reassign `node` in case the child hook makes a modification
+                        if new_child_and_node.is_a?(Array)
+                          new_node = new_child_and_node[1]
+                        end
+                      end"
+                    end.join("\n")
+                  else
+                    ""
+                  end
+                }
+              end
+              end_visit(new_node, parent) unless no_hooks
+              if new_node.equal?(node)
+                [node, parent]
+              else
+                [new_node, parent]
+              end
+            end
+          end
+          def #{node_method}_with_modifications(node, parent)
+            new_node_and_new_parent = #{node_method}(node, parent)
+            apply_modifications(node, parent, new_node_and_new_parent)
+          end
+        RUBY
+      end
+
+
+
       [
         Language::Nodes::Argument,
         Language::Nodes::Directive,
@@ -277,6 +278,8 @@ def on_argument_children(new_node)
         make_visit_methods(ast_node_class)
       end
 
+      # rubocop:enable Development/NoEvalCop
+
       private
 
       def apply_modifications(node, parent, new_node_and_new_parent)

lib/graphql/schema/argument.rb

@@ -53,6 +53,7 @@ def from_resolver?
       def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type: nil, name: nil, loads: nil, description: nil, ast_node: nil, default_value: NOT_CONFIGURED, as: nil, from_resolver: false, camelize: true, prepare: nil, owner:, validates: nil, directives: nil, deprecation_reason: nil, replace_null_with_default: false, &definition_block)
         arg_name ||= name
         @name = -(camelize ? Member::BuildType.camelize(arg_name.to_s) : arg_name.to_s)
+        NameValidator.validate!(@name)
         @type_expr = type_expr || type
         @description = desc || description
         @null = required != true
@@ -88,11 +89,8 @@ def initialize(arg_name = nil, type_expr = nil, desc = nil, required: true, type
         end
 
         if definition_block
-          if definition_block.arity == 1
-            instance_exec(self, &definition_block)
-          else
-            instance_eval(&definition_block)
-          end
+          # `self` will still be self, it will also be the first argument to the block:
+          instance_exec(self, &definition_block)
         end
       end
 

lib/graphql/schema/build_from_definition.rb

@@ -453,17 +453,18 @@ def build_fields(owner, field_definitions, type_resolver, default_resolve:)
 
             # Don't do this for interfaces
             if default_resolve
-              owner.class_eval <<-RUBY, __FILE__, __LINE__
-                # frozen_string_literal: true
-                def #{resolve_method_name}(**args)
-                  field_instance = self.class.get_field("#{field_definition.name}")
-                  context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
-                end
-              RUBY
+              define_field_resolve_method(owner, resolve_method_name, field_definition.name)
             end
           end
         end
 
+        def define_field_resolve_method(owner, method_name, field_name)
+          owner.define_method(method_name) { |**args|
+            field_instance = self.class.get_field(field_name)
+            context.schema.definition_default_resolve.call(self.class, field_instance, object, args, context)
+          }
+        end
+
         def build_resolve_type(lookup_hash, directives, missing_type_handler)
           resolve_type_proc = nil
           resolve_type_proc = ->(ast_node) {

lib/graphql/schema/directive.rb

@@ -99,7 +99,7 @@ def repeatable(new_value)
 
         def inherited(subclass)
           super
-          subclass.class_eval do
+          subclass.class_exec do
             @default_graphql_name ||= nil
           end
         end

lib/graphql/schema/enum_value.rb

@@ -47,7 +47,7 @@ def initialize(graphql_name, desc = nil, owner:, ast_node: nil, directives: nil,
         end
 
         if block_given?
-          instance_eval(&block)
+          instance_exec(self, &block)
         end
       end
 

lib/graphql/schema/field.rb

@@ -233,7 +233,7 @@ def initialize(type: nil, name: nil, owner: nil, null: nil, description: NOT_CON
 
         @underscored_name = -Member::BuildType.underscore(name_s)
         @name = -(camelize ? Member::BuildType.camelize(name_s) : name_s)
-
+        NameValidator.validate!(@name)
         @description = description
         @type = @owner_type = @own_validators = @own_directives = @own_arguments = @arguments_statically_coercible = nil # these will be prepared later if necessary
 

lib/graphql/schema/input_object.rb

@@ -131,12 +131,7 @@ def argument(*args, **kwargs, &block)
             end
           end
           # Add a method access
-          method_name = argument_defn.keyword
-          class_eval <<-RUBY, __FILE__, __LINE__
-            def #{method_name}
-              self[#{method_name.inspect}]
-            end
-          RUBY
+          define_accessor_method(argument_defn.keyword)
           argument_defn
         end
 
@@ -242,6 +237,13 @@ def coerce_result(value, ctx)
 
           result
         end
+
+        private
+
+        def define_accessor_method(method_name)
+          define_method(method_name) { self[method_name] }
+          alias_method(method_name, method_name)
+        end
       end
 
       private

lib/graphql/schema/member/has_directives.rb

@@ -6,7 +6,7 @@ class Member
       module HasDirectives
         def self.extended(child_cls)
           super
-          child_cls.module_eval { self.own_directives = nil }
+          child_cls.module_exec { self.own_directives = nil }
         end
 
         def inherited(child_cls)

lib/graphql/schema/member/has_fields.rb

@@ -180,7 +180,7 @@ def self.extended(child_class)
 
         def inherited(subclass)
           super
-          subclass.class_eval do
+          subclass.class_exec do
             @own_fields ||= nil
             @field_class ||= nil
           end

lib/graphql/schema/member/has_interfaces.rb

@@ -119,7 +119,7 @@ def self.extended(child_class)
 
         def inherited(subclass)
           super
-          subclass.class_eval do
+          subclass.class_exec do
             @own_interface_type_memberships ||= nil
           end
         end

lib/graphql/schema/member/type_system_helpers.rb

@@ -43,7 +43,7 @@ def kind
         private
 
         def inherited(subclass)
-          subclass.class_eval do
+          subclass.class_exec do
             @to_non_null_type ||= nil
             @to_list_type ||= nil
           end

lib/graphql/tracing/appoptics_trace.rb

@@ -28,6 +28,8 @@ def self.version
         Gem::Version.new('1.0.0')
       end
 
+      # rubocop:disable Development/NoEvalCop This eval takes static inputs at load-time
+
       [
         'lex',
         'parse',
@@ -55,6 +57,8 @@ def #{trace_method}(**data)
         RUBY
       end
 
+      # rubocop:enable Development/NoEvalCop
+
       def execute_field(query:, field:, ast_node:, arguments:, object:)
         return_type = field.type.unwrap
         trace_field = if return_type.kind.scalar? || return_type.kind.enum?