Skip to content

fix(orchestrator): Address CVE-2026-3118 (#2597) (#2727)#2728

Merged
lholmquist merged 1 commit into
workspace/orchestratorfrom
orchestrator-1.8
Apr 8, 2026
Merged

fix(orchestrator): Address CVE-2026-3118 (#2597) (#2727)#2728
lholmquist merged 1 commit into
workspace/orchestratorfrom
orchestrator-1.8

Conversation

@lholmquist

Copy link
Copy Markdown
Member
  • fix: Update grapql client

  • Filters, pagination and queries now use query variables

fixes CVE-2026-3118 and relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583

Hey, I just made a Pull Request!

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Added or Updated documentation
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)

* fix: Update grapql client

* Filters, pagination and queries now use query variables

fixes CVE-2026-3118 and relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583
@rhdh-qodo-merge

Copy link
Copy Markdown

Review Summary by Qodo

Fix CVE-2026-3118 by migrating GraphQL queries to use parameterized variables

🐞 Bug fix ✨ Enhancement

Grey Divider

Walkthroughs

Description
• Migrate GraphQL queries to use parameterized variables instead of string interpolation
• Update @urql/core dependency from 4.1.4 to 6.0.1 to address CVE-2026-3118
• Refactor filter builder to return FilterClause objects with separated clause and variables
• Implement query variable extraction for filters, pagination, and orderBy parameters
• Update all GraphQL queries to use gql template literals with variable parameters
Diagram
flowchart LR
  A["Filter/Query Builders"] -- "Return FilterClause with variables" --> B["FilterClause Type"]
  B -- "Contains clause string and variable array" --> C["Query Builder"]
  C -- "Extracts variables into params object" --> D["GraphQL Query"]
  D -- "Sends query with separate variables" --> E["URQL Client"]
  E -- "Prevents injection attacks" --> F["Security Fix"]
Loading

Grey Divider

File Changes

1. workspaces/orchestrator/plugins/orchestrator-backend/src/types/filterClause.ts ✨ Enhancement +26/-0

New FilterClause type definitions for parameterized queries

workspaces/orchestrator/plugins/orchestrator-backend/src/types/filterClause.ts


2. workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts ✨ Enhancement +105/-25

Refactor filter builder to use query variables

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts


3. workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts ✨ Enhancement +63/-25

Update query builder for parameterized GraphQL queries

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.ts


View more (7)
4. workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilders.test.ts 🧪 Tests +156/-46

Update filter builder tests for variable-based assertions

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilders.test.ts


5. workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.test.ts 🧪 Tests +7/-18

Update query builder tests for parameterized queries

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/queryBuilder.test.ts


6. workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts ✨ Enhancement +102/-22

Migrate all GraphQL queries to use variables and gql templates

workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.ts


7. workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.test.ts 🧪 Tests +197/-93

Update service tests for parameterized query variables

workspaces/orchestrator/plugins/orchestrator-backend/src/service/DataIndexService.test.ts


8. workspaces/orchestrator/plugins/orchestrator-backend/src/types/pagination.ts ✨ Enhancement +7/-1

Add PaginationQueryVariable interface for query parameters

workspaces/orchestrator/plugins/orchestrator-backend/src/types/pagination.ts


9. workspaces/orchestrator/plugins/orchestrator-backend/package.json Dependencies +1/-1

Update @urql/core dependency to 6.0.1

workspaces/orchestrator/plugins/orchestrator-backend/package.json


10. workspaces/orchestrator/.changeset/five-meals-cover.md 📝 Documentation +6/-0

Document CVE fix and query variable refactoring changes

workspaces/orchestrator/.changeset/five-meals-cover.md


Grey Divider

Qodo Logo

@rhdh-qodo-merge

rhdh-qodo-merge Bot commented Apr 8, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)   🎨 UX Issues (0)
🐞\ ≡ Correctness (1)

Grey Divider


Action required

1. Enum variable type wrong 🐞
Description
handleBinaryOperator sets the GraphQL variable type to "String" for scalar filters even when
filtering the enum field "state". This can produce an invalid GraphQL operation (variable typed
String used where ProcessInstanceState is expected), breaking fetchInstances() when filtering by
state with EQ/LIKE/etc.
Code

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[R195-216]

+  let formattedValue: any;
+  let paramType: string;
+  if (Array.isArray(binaryFilter.value)) {
+    formattedValue = binaryFilter.value.map(v =>
+      formatValue(binaryFilter.field, v, fieldDef, type),
+    );
+    paramType = isEnumFilter(binaryFilter.field, type)
+      ? '[ProcessInstanceState!]'
+      : '[String!]';
+  } else {
+    formattedValue = formatValue(
+      binaryFilter.field,
+      binaryFilter.value,
+      fieldDef,
+      type,
+    );
+    paramType = 'String';
+  }
+
+  const clauseVariableName = `clauseVariable${nonSecureRandomAlphaNumeric()}`;
+  const clause = `${binaryFilter.field}: {${getGraphQLOperator(binaryFilter.operator)}: $${clauseVariableName}}`;
+  const filterClauseVariable: FilterClauseVariable = {
Evidence
The code explicitly treats state as an enum field but only emits the enum variable type for array
values; scalar values always get paramType = 'String'. The repo’s shared model defines
ProcessInstanceState as an enum, and ProcessInstance.state is typed as enum values, supporting
that the GraphQL filter should be enum-typed rather than String-typed.

workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[164-174]
workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[183-212]
workspaces/orchestrator/plugins/orchestrator-common/src/models.ts[19-26]
workspaces/orchestrator/plugins/orchestrator-common/src/models.ts[75-85]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`handleBinaryOperator` generates GraphQL variable definitions for filter values. For the enum field `state`, scalar filters currently declare the variable as `String`, while array filters declare `[ProcessInstanceState!]`. This inconsistency can cause GraphQL validation errors because a variable declared as `String` may not be usable where an enum type is expected.

### Issue Context
- `isEnumFilter()` flags `ProcessInstance.state` as an enum field.
- `handleBinaryOperator()` currently sets `paramType = 'String'` for all scalar values.

### Fix Focus Areas
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[183-212]

### Suggested fix
- When `isEnumFilter(binaryFilter.field, type)` is true and `binaryFilter.value` is not an array, set `paramType` to `ProcessInstanceState` (or the schema’s correct enum input type) instead of `String`.
- Consider centralizing the mapping from fieldDef/type -> GraphQL variable type so scalar/array cases stay consistent (e.g., `ProcessInstanceState` vs `[ProcessInstanceState!]`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@sonarqubecloud

sonarqubecloud Bot commented Apr 8, 2026

Copy link
Copy Markdown

Comment on lines +195 to +216
let formattedValue: any;
let paramType: string;
if (Array.isArray(binaryFilter.value)) {
formattedValue = binaryFilter.value.map(v =>
formatValue(binaryFilter.field, v, fieldDef, type),
);
paramType = isEnumFilter(binaryFilter.field, type)
? '[ProcessInstanceState!]'
: '[String!]';
} else {
formattedValue = formatValue(
binaryFilter.field,
binaryFilter.value,
fieldDef,
type,
);
paramType = 'String';
}

const clauseVariableName = `clauseVariable${nonSecureRandomAlphaNumeric()}`;
const clause = `${binaryFilter.field}: {${getGraphQLOperator(binaryFilter.operator)}: $${clauseVariableName}}`;
const filterClauseVariable: FilterClauseVariable = {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Enum variable type wrong 🐞 Bug ≡ Correctness

handleBinaryOperator sets the GraphQL variable type to "String" for scalar filters even when
filtering the enum field "state". This can produce an invalid GraphQL operation (variable typed
String used where ProcessInstanceState is expected), breaking fetchInstances() when filtering by
state with EQ/LIKE/etc.
Agent Prompt
### Issue description
`handleBinaryOperator` generates GraphQL variable definitions for filter values. For the enum field `state`, scalar filters currently declare the variable as `String`, while array filters declare `[ProcessInstanceState!]`. This inconsistency can cause GraphQL validation errors because a variable declared as `String` may not be usable where an enum type is expected.

### Issue Context
- `isEnumFilter()` flags `ProcessInstance.state` as an enum field.
- `handleBinaryOperator()` currently sets `paramType = 'String'` for all scalar values.

### Fix Focus Areas
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[183-212]

### Suggested fix
- When `isEnumFilter(binaryFilter.field, type)` is true and `binaryFilter.value` is not an array, set `paramType` to `ProcessInstanceState` (or the schema’s correct enum input type) instead of `String`.
- Consider centralizing the mapping from fieldDef/type -> GraphQL variable type so scalar/array cases stay consistent (e.g., `ProcessInstanceState` vs `[ProcessInstanceState!]`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@lholmquist lholmquist merged commit 5f58cbe into workspace/orchestrator Apr 8, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant