Mitigate CVE-2022-37734 by updating graphql and jackson dependencies #1045 (#1046)

Co-authored-by: Upendra Vedullapalli <[email protected]>
Co-authored-by: Bogdan Kobylynskyi <[email protected]>

Author: 3 people

build.gradle

@@ -21,8 +21,8 @@ repositories {
 
 dependencies {
     compileOnly "org.freemarker:freemarker:2.3.31"
-    compileOnly "com.graphql-java:graphql-java:16.2"
-    compileOnly "com.fasterxml.jackson.core:jackson-databind:2.13.3"
+    compileOnly "com.graphql-java:graphql-java:20.0"
+    compileOnly "com.fasterxml.jackson.core:jackson-databind:2.14.2"
     compileOnly "com.typesafe:config:1.4.1"
 
     testImplementation "org.junit.jupiter:junit-jupiter-api:5.7.1"

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenAnnotationsTest.java

@@ -6,6 +6,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -22,6 +23,7 @@
 import static java.util.Collections.singletonList;
 import static java.util.Collections.singletonMap;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenAnnotationsTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenApisTest.java

@@ -10,6 +10,7 @@
 import com.kobylynskyi.graphql.codegen.utils.Utils;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -28,6 +29,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenApisTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenFieldsResolversTest.java

@@ -6,6 +6,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -18,6 +19,7 @@
 import static java.util.Collections.singletonList;
 import static java.util.Collections.singletonMap;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenFieldsResolversTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenGitHubTest.java

@@ -7,6 +7,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -17,6 +18,7 @@
 import static java.util.Collections.singletonList;
 import static org.hamcrest.MatcherAssert.assertThat;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenGitHubTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenOptionalTest.java

@@ -7,6 +7,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -16,6 +17,7 @@
 import static com.kobylynskyi.graphql.codegen.TestUtils.assertSameTrimmedContent;
 import static com.kobylynskyi.graphql.codegen.TestUtils.getFileByName;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenOptionalTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/GraphQLCodegenRequestTest.java

@@ -6,6 +6,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -17,6 +18,7 @@
 import static java.util.Collections.singletonList;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenRequestTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/MaxQueryTokensExtension.java

@@ -0,0 +1,27 @@
+package com.kobylynskyi.graphql.codegen;
+
+import graphql.parser.ParserOptions;
+import org.junit.jupiter.api.extension.AfterAllCallback;
+import org.junit.jupiter.api.extension.BeforeAllCallback;
+import org.junit.jupiter.api.extension.ExtensionContext;
+
+/**
+ * This extension is to increase the {@link ParserOptions#MAX_QUERY_TOKENS}} to 20_000 JVM wide
+ * to allow successful test schema parsing
+ */
+public class MaxQueryTokensExtension implements BeforeAllCallback, AfterAllCallback {
+
+    private static final ParserOptions defaultJvmParserOptions = ParserOptions.getDefaultParserOptions();
+
+    @Override
+    public void beforeAll(ExtensionContext context) {
+        ParserOptions.setDefaultParserOptions(
+                ParserOptions.getDefaultParserOptions().transform(o -> o.maxTokens(20_000))
+        );
+    }
+
+    @Override
+    public void afterAll(ExtensionContext context) {
+        ParserOptions.setDefaultParserOptions(defaultJvmParserOptions);
+    }
+}

src/test/java/com/kobylynskyi/graphql/codegen/kotlin/GraphQLCodegenGitHubTest.java

@@ -1,12 +1,14 @@
 package com.kobylynskyi.graphql.codegen.kotlin;
 
+import com.kobylynskyi.graphql.codegen.MaxQueryTokensExtension;
 import com.kobylynskyi.graphql.codegen.TestUtils;
 import com.kobylynskyi.graphql.codegen.model.GeneratedLanguage;
 import com.kobylynskyi.graphql.codegen.model.MappingConfig;
 import com.kobylynskyi.graphql.codegen.utils.Utils;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.io.IOException;
@@ -21,6 +23,7 @@
 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenGitHubTest {
 
     private final File outputBuildDir = new File("build/generated");

src/test/java/com/kobylynskyi/graphql/codegen/kotlin/GraphQLCodegenInitializeNullableTypesTest.java

@@ -1,12 +1,14 @@
 package com.kobylynskyi.graphql.codegen.kotlin;
 
+import com.kobylynskyi.graphql.codegen.MaxQueryTokensExtension;
 import com.kobylynskyi.graphql.codegen.TestUtils;
 import com.kobylynskyi.graphql.codegen.model.GeneratedLanguage;
 import com.kobylynskyi.graphql.codegen.model.MappingConfig;
 import com.kobylynskyi.graphql.codegen.utils.Utils;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 
 import java.io.File;
 import java.util.Objects;
@@ -15,6 +17,7 @@
 import static com.kobylynskyi.graphql.codegen.TestUtils.getFileByName;
 import static java.util.Collections.singletonList;
 
+@ExtendWith(MaxQueryTokensExtension.class)
 class GraphQLCodegenInitializeNullableTypesTest {
 
     private final File outputBuildDir = new File("build/generated");