Merge security fixes from 0.15 juniper releases

Author: tyranron

Makefile.toml

@@ -12,7 +12,7 @@ CARGO_MAKE_WORKSPACE_SKIP_MEMBERS = "integration_tests/*;examples/*;juniper_benc
 [tasks.release]
 condition = { env_set = [ "RELEASE_LEVEL" ] }
 command = "cargo-release"
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "--execute", "${RELEASE_LEVEL}"]
 
 
 # Run `RELEASE_LEVEL=(patch|major|minor) cargo make release-dry-run` to do a dry run.
@@ -23,7 +23,7 @@ args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/releas
 condition = { env_set = [ "RELEASE_LEVEL" ] }
 description = "Run `cargo-release --dry-run` for every crate"
 command = "cargo-release"
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "--dry-run", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "--no-confirm", "--no-publish", "--no-push", "--no-tag", "${RELEASE_LEVEL}"]
 
 
 # Run `RELEASE_LEVEL=(patch|major|minor) cargo make release-local-test` to actually make changes locally but
@@ -35,4 +35,4 @@ args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/releas
 condition = { env_set = [ "RELEASE_LEVEL" ] }
 description = "Run `cargo-release` for every crate, but only make changes locally"
 command = "cargo-release"
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "--no-confirm", "--skip-publish", "--skip-push", "--skip-tag", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/../_build/release.toml", "--no-confirm", "${RELEASE_LEVEL}"]

_build/release.toml

@@ -1,6 +1,5 @@
-no-dev-version = true
 pre-release-commit-message = "Release {{crate_name}} {{version}}"
-pro-release-commit-message = "Bump {{crate_name}} version to {{next_version}}"
+post-release-commit-message = "Bump {{crate_name}} version to {{next_version}}"
 tag-message = "Release {{crate_name}} {{version}}"
 pre-release-replacements = [
   {file="CHANGELOG.md", min=0, search="# master", replace="# master\n\n- Compatibility with the latest `juniper`.\n\n# [[{{version}}] {{date}}](https://github.com/graphql-rust/juniper/releases/tag/{{crate_name}}-{{version}})"},

juniper/CHANGELOG.md

@@ -42,6 +42,14 @@
 - Support expressions in `graphql_value!` macro. ([#996](https://github.com/graphql-rust/juniper/pull/996), [#503](https://github.com/graphql-rust/juniper/issues/503))
 - List coercion rules: `null` cannot be coerced to an `[Int!]!` or `[Int]!`. ([#1004](https://github.com/graphql-rust/juniper/pull/1004))
 
+# [[0.15.9] 2022-02-02](https://github.com/graphql-rust/juniper/releases/tag/juniper-v0.15.9)
+
+- Fix infinite recursion on malformed queries with nested recursive fragments. *This is a potential denial-of-service attack vector.* Thanks to [@quapka](https://github.com/quapka) for the detailed vulnerability report and reproduction steps.
+
+# [[0.15.8] 2022-01-26](https://github.com/graphql-rust/juniper/releases/tag/juniper-v0.15.8)
+
+- Fix panic on malformed queries with recursive fragments. *This is a potential denial-of-service attack vector.* Thanks to [@quapka](https://github.com/quapka) for the detailed vulnerability report and reproduction steps.
+
 # [[0.15.7] 2021-07-08](https://github.com/graphql-rust/juniper/releases/tag/juniper-v0.15.7)
 
 - Fix panic on spreading untyped union fragments ([#945](https://github.com/graphql-rust/juniper/issues/945))

juniper/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "juniper"
-version = "0.15.7"
+version = "0.15.9"
 authors = [
     "Magnus Hallin <[email protected]>",
     "Christoph Herzog <[email protected]>",
@@ -32,7 +32,7 @@ scalar-naivetime = []
 schema-language = ["graphql-parser-integration"]
 
 [dependencies]
-juniper_codegen = { version = "0.15.7", path = "../juniper_codegen"  }
+juniper_codegen = { version = "0.15.9", path = "../juniper_codegen"  }
 
 anyhow = { version = "1.0.32", optional = true, default-features = false }
 async-trait = "0.1.39"

juniper/Makefile.toml

@@ -4,13 +4,13 @@
 CARGO_MAKE_CARGO_ALL_FEATURES = ""
 
 [tasks.release]
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "--execute", "${RELEASE_LEVEL}"]
 
 [tasks.release-dry-run]
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "--dry-run", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "--no-confirm", "--no-publish", "--no-push", "--no-tag", "${RELEASE_LEVEL}"]
 
 [tasks.release-local-test]
-args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "--no-confirm", "--skip-publish", "--skip-push", "--skip-tag", "${RELEASE_LEVEL}"]
+args = ["release", "--config", "${CARGO_MAKE_WORKING_DIRECTORY}/release.toml", "--no-confirm", "${RELEASE_LEVEL}"]
 
 [tasks.test]
 args = ["test", "--all-features"]

juniper/release.toml

@@ -1,6 +1,5 @@
-no-dev-version = true
 pre-release-commit-message = "Release {{crate_name}} {{version}}"
-pro-release-commit-message = "Bump {{crate_name}} version to {{next_version}}"
+post-release-commit-message = "Bump {{crate_name}} version to {{next_version}}"
 tag-message = "Release {{crate_name}} {{version}}"
 pre-release-replacements = [
   # Juniper's changelog

juniper/src/lib.rs

@@ -94,7 +94,7 @@ Juniper has not reached 1.0 yet, thus some API instability should be expected.
 */
 // Due to `schema_introspection` test.
 #![cfg_attr(test, recursion_limit = "256")]
-#![doc(html_root_url = "https://docs.rs/juniper/0.15.7")]
+#![doc(html_root_url = "https://docs.rs/juniper/0.15.9")]
 #![warn(missing_docs)]
 
 // Required for using `juniper_codegen` macros inside this crate to resolve absolute `::juniper`

juniper/src/validation/context.rs

@@ -97,6 +97,10 @@ impl<'a, S: Debug> ValidatorContext<'a, S> {
         self.errors.push(RuleError::new(message, locations))
     }
 
+    pub(crate) fn has_errors(&self) -> bool {
+        !self.errors.is_empty()
+    }
+
     #[doc(hidden)]
     pub fn into_errors(mut self) -> Vec<RuleError> {
         self.errors.sort();

juniper/src/validation/mod.rs

@@ -21,6 +21,7 @@ pub use self::{
 
 #[cfg(test)]
 pub use self::test_harness::{
-    expect_fails_rule, expect_fails_rule_with_schema, expect_passes_rule,
+    expect_fails_fn, expect_fails_fn_with_schema, expect_fails_rule, expect_fails_rule_with_schema,
+    expect_passes_fn, expect_passes_fn_with_schema, expect_passes_rule,
     expect_passes_rule_with_schema,
 };

juniper/src/validation/rules/mod.rs

@@ -35,7 +35,14 @@ pub fn visit_all_rules<'a, S: Debug>(ctx: &mut ValidatorContext<'a, S>, doc: &'a
 where
     S: ScalarValue,
 {
-    let mut mv = MultiVisitorNil
+    // Some validators are depending on the results of other ones.
+    // For example, validators checking fragments usually rely on the fact that
+    // they have no cycles (`no_fragment_cycles`), otherwise may stall in an
+    // infinite recursion. So, we should run validators in stages, moving to the
+    // next stage only once the previous succeeds. This is better than making
+    // every single validator being aware of fragments cycles and/or other
+    // assumptions.
+    let mut stage1 = MultiVisitorNil
         .with(self::arguments_of_correct_type::factory())
         .with(self::default_values_of_correct_type::factory())
         .with(self::fields_on_correct_type::factory())
@@ -49,7 +56,6 @@ where
         .with(self::no_undefined_variables::factory())
         .with(self::no_unused_fragments::factory())
         .with(self::no_unused_variables::factory())
-        .with(self::overlapping_fields_can_be_merged::factory())
         .with(self::possible_fragment_spreads::factory())
         .with(self::provided_non_null_arguments::factory())
         .with(self::scalar_leafs::factory())
@@ -60,6 +66,62 @@ where
         .with(self::unique_variable_names::factory())
         .with(self::variables_are_input_types::factory())
         .with(self::variables_in_allowed_position::factory());
+    visit(&mut stage1, ctx, doc);
+    if ctx.has_errors() {
+        return;
+    }
 
-    visit(&mut mv, ctx, doc)
+    let mut stage2 = MultiVisitorNil.with(self::overlapping_fields_can_be_merged::factory());
+    visit(&mut stage2, ctx, doc);
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::{parser::SourcePosition, DefaultScalarValue};
+
+    use crate::validation::{expect_fails_fn, RuleError};
+
+    #[test]
+    fn handles_recursive_fragments() {
+        expect_fails_fn::<_, DefaultScalarValue>(
+            super::visit_all_rules,
+            "fragment f on QueryRoot { ...f }",
+            &[
+                RuleError::new(
+                    "Fragment \"f\" is never used",
+                    &[SourcePosition::new(0, 0, 0)],
+                ),
+                RuleError::new(
+                    "Cannot spread fragment \"f\"",
+                    &[SourcePosition::new(26, 0, 26)],
+                ),
+            ],
+        );
+    }
+
+    #[test]
+    fn handles_nested_recursive_fragments() {
+        expect_fails_fn::<_, DefaultScalarValue>(
+            super::visit_all_rules,
+            "fragment f on QueryRoot { a { ...f a { ...f } } }",
+            &[
+                RuleError::new(
+                    "Fragment \"f\" is never used",
+                    &[SourcePosition::new(0, 0, 0)],
+                ),
+                RuleError::new(
+                    r#"Unknown field "a" on type "QueryRoot""#,
+                    &[SourcePosition::new(26, 0, 26)],
+                ),
+                RuleError::new(
+                    "Cannot spread fragment \"f\"",
+                    &[SourcePosition::new(30, 0, 30)],
+                ),
+                RuleError::new(
+                    "Cannot spread fragment \"f\"",
+                    &[SourcePosition::new(39, 0, 39)],
+                ),
+            ],
+        );
+    }
 }