Don't allow line terminators in single-quoted strings

rmosolgo · rmosolgo · commit 2775384b5713 · 2024-02-08T12:18:13.000-05:00
diff --git a/lib/graphql/language/lexer.rb b/lib/graphql/language/lexer.rb
@@ -254,7 +254,7 @@ module Punctuation
       STRING_ESCAPE = %r{[\\][\\/bfnrt]}
       BLOCK_QUOTE =   '"""'
       ESCAPED_QUOTE = /\\"/;
-      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
+      STRING_CHAR = /#{ESCAPED_QUOTE}|[^"\\\n\r]|#{UNICODE_ESCAPE}|#{STRING_ESCAPE}/
       QUOTED_STRING_REGEXP = %r{#{QUOTE} (?:#{STRING_CHAR})* #{QUOTE}}x
       BLOCK_STRING_REGEXP = %r{
         #{BLOCK_QUOTE}
diff --git a/spec/graphql/language/parser_spec.rb b/spec/graphql/language/parser_spec.rb
@@ -16,6 +16,17 @@
     assert_equal expected_message, err.message
   end
 
+  it "rejects newlines in single-quoted strings" do
+    assert_raises(GraphQL::ParseError) {
+      GraphQL.parse("{ doStuff(arg: \"
+abc\") }"
+      )
+    }
+    assert_raises(GraphQL::ParseError) {
+      GraphQL.parse("{ doStuff(arg: \"\rabc\") }")
+    }
+  end
+
   describe "when there are no selections" do
     it 'raises a ParseError' do
       assert_raises(GraphQL::ParseError) {
