Open
Conversation
lholmquist
requested review from
a team,
christoph-jerolimov,
karthikjeeyar and
lokanandaprabhu
as code owners
Review Summary by QodoUpdate @urql/core to fix CVE-2026-3118 vulnerability
WalkthroughsDescription• Update @urql/core dependency from 4.1.4 to 6.0.1 • Fixes CVE-2026-3118 vulnerability in GraphQL query parsing • Resolves malformed pagination query handling issues • Add changeset documenting the patch version update Diagramflowchart LR
A["@urql/core v4.1.4"] -- "Update to v6.0.1" --> B["Fixed CVE-2026-3118"]
B -- "Improved query parsing" --> C["@0no-co/graphql.web updated"]
C -- "Sanitizes filters" --> D["Malformed queries detected"]
File Changes1. workspaces/orchestrator/.changeset/five-meals-cover.md
|
Code Review by Qodo
1. GraphQL filter injection risk
|
Changed Packages
|
|
![rhdh-qodo-merge[bot]](https://avatars.githubusercontent.com/in/1961108?s=60&v=4){kind=small}
| "@red-hat-developer-hub/backstage-plugin-orchestrator-common": "workspace:^", | ||
| "@red-hat-developer-hub/backstage-plugin-orchestrator-node": "workspace:^", | ||
| "@urql/core": "^4.1.4", | ||
| "@urql/core": "^6.0.1", |
There was a problem hiding this comment.
1. Graphql filter injection risk 🐞 Bug ⛨ Security
Request-body filters values are inserted into GraphQL query strings without escaping, so quotes/braces in filter values can break query parsing and allow query-shape injection against the Data Index GraphQL endpoint. This becomes more user-visible with the @urql/core upgrade because malformed queries will error instead of being tolerated downstream.
Agent Prompt
### Issue description
`filters` coming from `req.body` are embedded into GraphQL query strings without escaping, which can break query parsing and enables query-shape injection.
### Issue Context
- `router.ts` returns request filters directly from the body.
- `filterBuilder.ts` wraps string values in quotes without escaping.
- Queries are executed by passing constructed strings into `@urql/core`.
### Fix Focus Areas
- Sanitize/escape GraphQL string literal values (at minimum via `JSON.stringify(String(value))`) before embedding them into query strings.
- Prefer GraphQL variables wherever possible (for values like `definitionId`, `instanceId`, and filter values).
- Validate filter objects from the request (shape + value types) and reject invalid characters if variables cannot be used.
#### Files/lines
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[1098-1100]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[101-155]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[251-277]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[132-153]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[404-454]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts[18-38]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
lholmquist
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I just made a Pull Request!
relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583
The orchestrator plugin uses this graphql client: @urql/core, which has a dependecy on this module, @0no-co/graphql.web, which was not correctly parsing the constructed graphql queries during execution when resolving to version 1.0.9. Updating to the latest @urql/core brings in an updated version of @0no-co/graphql.web which parses those queries correctly and will now throw an error when a query is malformed(happening during a malformed pagination example) and sanitize query filters
This will also need to be applied to both the 1.8 and 1.9 branches for orchestrator
✔️ Checklist