Skip to content

Fix infinite recursion in type definition parser #642

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 10, 2023
Merged

Fix infinite recursion in type definition parser #642

merged 2 commits into from
Apr 10, 2023

Conversation

Invizory
Copy link
Contributor

Fixes #637.

@coveralls
Copy link

coveralls commented Jul 29, 2022
edited
Loading

Coverage Status

Coverage: 92.051%. Remained the same when pulling 2a6e1ff on Invizory:fix-infinite-recursion-in-parser into 623f886 on graphql-go:master.

@Invizory Invizory force-pushed the fix-infinite-recursion-in-parser branch from 6d83653 to 4188bd5 Compare July 29, 2022 22:13
@Invizory Invizory changed the title Fix infinite recursion in parser Fix infinite recursion in type definition parser Jul 29, 2022
@jamesdphillips jamesdphillips mentioned this pull request Aug 10, 2022
Merged
jamesdphillips added a commit to sensu/sensu-go that referenced this pull request Aug 10, 2022
@jamesdphillips
Update graphql-go package to address issue (#4836)
afb1ce7 
* Implements fix from: graphql-go/graphql#642
* I couldn't use the `replace` directive without a version tag so I've used my own fork.

---

Signed-off-by: James Phillips <jamesdphillips@gmail.com>
jamesdphillips added a commit to sensu/sensu-go that referenced this pull request Aug 11, 2022
@jamesdphillips
Update graphql-go package to address issue (#4836)
9f88184 
* Implements fix from: graphql-go/graphql#642
* I couldn't use the `replace` directive without a version tag so I've used my own fork.

---

Signed-off-by: James Phillips <jamesdphillips@gmail.com>
SpencerHedger added a commit to cantabular/graphql-go-graphql that referenced this pull request Aug 23, 2022
@SpencerHedger
Fix infinite recursion in type definition parser
e55cf2d 
From: graphql-go#642
@Dynom
Copy link

Dynom commented Aug 29, 2022

What's blocking to merging this in and bumping the release?

@cyberhck
Copy link

hey guys, this is blocking our deployments because it's getting caught from our code scanners, any ETA on when this can be merged and released?

@SkNuwanTissera
Copy link

Hi guys, Can we merge this? This impacts our SCAs.

snej added a commit to couchbase/sync_gateway that referenced this pull request Mar 9, 2023
@snej
Switch to forked graphql-go with CVE fix applied
2794959 
Our dependency graphql-go v0.8.0 has a bug in which a malformed schema string
can cause a stack overflow in the parser, causing a Go panic. This is considered
a DoS attack vector, assigned CVE-2022-37315.

Seven months later, the fix for this bug has still not been merged, so we need
to fork graphql-go and apply the fix ourselves.

- Forked graphql-go repo to couchbasedeps/graphql-go.
- In the forked repo, cherry-picked fix of CVE-2022-37315, from
  graphql-go/graphql#642 . Tagged this v0.8.1.
- Updated SG's go.mod file to override original go-graphql with our fork.
- Added a unit test in db/functions that tests the fix. I verified that,
  without the fix applied, this test panics; with it, it just returns an
  expected syntax error.
@snej snej mentioned this pull request Mar 9, 2023
Merged
6 tasks
torcolvin pushed a commit to couchbase/sync_gateway that referenced this pull request Mar 10, 2023
@snej
Switch to forked graphql-go with CVE fix applied (#6137)
125ca4b 
Our dependency graphql-go v0.8.0 has a bug in which a malformed schema string
can cause a stack overflow in the parser, causing a Go panic. This is considered
a DoS attack vector, assigned CVE-2022-37315.

Seven months later, the fix for this bug has still not been merged, so we need
to fork graphql-go and apply the fix ourselves.

- Forked graphql-go repo to couchbasedeps/graphql-go.
- In the forked repo, cherry-picked fix of CVE-2022-37315, from
  graphql-go/graphql#642 . Tagged this v0.8.1.
- Updated SG's go.mod file to override original go-graphql with our fork.
- Added a unit test in db/functions that tests the fix. I verified that,
  without the fix applied, this test panics; with it, it just returns an
  expected syntax error.
@jarreds
Copy link

jarreds commented Mar 14, 2023

@chris-ramon @sogko I see you two are the owners of this org. Could you please merge this in to resolve the CVE?

chris-ramon
chris-ramon approved these changes Apr 10, 2023
View reviewed changes
Copy link
Member

@chris-ramon chris-ramon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 🚢

@chris-ramon chris-ramon merged commit a974186 into graphql-go:master Apr 10, 2023
@chris-ramon
Copy link
Member

Thanks a lot @Invizory — Included as part of the v0.8.1 release.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@chris-ramon chris-ramon chris-ramon approved these changes

@stiggity stiggity stiggity approved these changes

@lgarrett-isp lgarrett-isp lgarrett-isp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Infinite recursion on malformed input (parseTypeSystemDefinition)
9 participants
@Invizory @coveralls @Dynom @cyberhck @SkNuwanTissera @jarreds @chris-ramon @stiggity @lgarrett-isp