Skip to content

WIP: fix CVE-2026-3118 #2597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lholmquist wants to merge 2 commits into
base: main
Choose a base branch
from
Open

WIP: fix CVE-2026-3118 #2597

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e0a22c
fix: Update grapql client to fix CVE-2026-3118.
lholmquist Mar 23, 2026
0ce18aa
squash: add changeset
lholmquist Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions workspaces/orchestrator/.changeset/five-meals-cover.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
---

Update dependecy @urql/core to fix CVE-2026-3118
2 changes: 1 addition & 1 deletion workspaces/orchestrator/plugins/orchestrator-backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@
"@backstage/plugin-scaffolder-node": "^0.12.4",
"@red-hat-developer-hub/backstage-plugin-orchestrator-common": "workspace:^",
"@red-hat-developer-hub/backstage-plugin-orchestrator-node": "workspace:^",
"@urql/core": "^4.1.4",
"@urql/core": "^6.0.1",
Copy link
Copy Markdown

@rhdh-qodo-merge rhdh-qodo-merge bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Graphql filter injection risk 🐞 Bug ⛨ Security

Request-body filters values are inserted into GraphQL query strings without escaping, so
quotes/braces in filter values can break query parsing and allow query-shape injection against the
Data Index GraphQL endpoint. This becomes more user-visible with the @urql/core upgrade because
malformed queries will error instead of being tolerated downstream.
Agent Prompt 
### Issue description
`filters` coming from `req.body` are embedded into GraphQL query strings without escaping, which can break query parsing and enables query-shape injection.

### Issue Context
- `router.ts` returns request filters directly from the body.
- `filterBuilder.ts` wraps string values in quotes without escaping.
- Queries are executed by passing constructed strings into `@urql/core`.

### Fix Focus Areas
- Sanitize/escape GraphQL string literal values (at minimum via `JSON.stringify(String(value))`) before embedding them into query strings.
- Prefer GraphQL variables wherever possible (for values like `definitionId`, `instanceId`, and filter values).
- Validate filter objects from the request (shape + value types) and reject invalid characters if variables cannot be used.

#### Files/lines
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts[1098-1100]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[101-155]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[251-277]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[132-153]
- workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts[404-454]
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts[18-38]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

"ajv-formats": "^2.1.1",
"cloudevents": "^8.0.0",
"express": "^4.21.2",
Expand Down
20 changes: 10 additions & 10 deletions workspaces/orchestrator/yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ __metadata:
version: 8
cacheKey: 10c0

"@0no-co/graphql.web@npm:^1.0.1":
version: 1.0.9
resolution: "@0no-co/graphql.web@npm:1.0.9"
"@0no-co/graphql.web@npm:^1.0.13":
version: 1.2.0
resolution: "@0no-co/graphql.web@npm:1.2.0"
peerDependencies:
graphql: ^14.0.0 || ^15.0.0 || ^16.0.0
peerDependenciesMeta:
graphql:
optional: true
checksum: 10c0/06c1acf62b0945d59f480481bc1a81b1542d5343bfef0e7cc88e4d582d49e242f3321f3a49b9e19f9d2cc270afa5415df7bed4f64ef1294b80c10f6d6b7b8602
checksum: 10c0/4eed600962bfab42afb49cddcfb31a47b00502f59707609cf160559920ce0f5cf8874791e4cafc465ede30ae291992f3f892bc757b2a989e80e50e358f71c518
languageName: node
linkType: hard

Expand Down Expand Up @@ -12514,7 +12514,7 @@ __metadata:
"@types/fs-extra": "npm:11.0.4"
"@types/json-schema": "npm:7.0.15"
"@types/luxon": "npm:^3.7.1"
"@urql/core": "npm:^4.1.4"
"@urql/core": "npm:^6.0.1"
ajv-formats: "npm:^2.1.1"
cloudevents: "npm:^8.0.0"
express: "npm:^4.21.2"
Expand Down Expand Up @@ -16575,13 +16575,13 @@ __metadata:
languageName: node
linkType: hard

"@urql/core@npm:^4.1.4":
version: 4.3.0
resolution: "@urql/core@npm:4.3.0"
"@urql/core@npm:^6.0.1":
version: 6.0.1
resolution: "@urql/core@npm:6.0.1"
dependencies:
"@0no-co/graphql.web": "npm:^1.0.1"
"@0no-co/graphql.web": "npm:^1.0.13"
wonka: "npm:^6.3.2"
checksum: 10c0/25a50cd11f27abca36ba07a93a393a3b0343d8d0957bf7fef4ddcc49d7582c751bb0c86f26c4f5e9342409237b92da569cfc90745a34539dfe8b5ebc426e112a
checksum: 10c0/44ff0d12dcef1e47338a9ff1217759d1124fa66eec1eec21ff9622e44c179b9d66fa78f462f195bfd8b790b04609abbe5a0674cbfcb0bc6d9c6fe6223d7d7b5b
languageName: node
linkType: hard

Expand Down
Loading