fix(orchestrator): Address CVE-2026-3118 (#2597) (#2727)#2728
Conversation
* fix: Update grapql client * Filters, pagination and queries now use query variables fixes CVE-2026-3118 and relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583
Review Summary by QodoFix CVE-2026-3118 by migrating GraphQL queries to use parameterized variables
WalkthroughsDescription• Migrate GraphQL queries to use parameterized variables instead of string interpolation • Update @urql/core dependency from 4.1.4 to 6.0.1 to address CVE-2026-3118 • Refactor filter builder to return FilterClause objects with separated clause and variables • Implement query variable extraction for filters, pagination, and orderBy parameters • Update all GraphQL queries to use gql template literals with variable parameters Diagramflowchart LR
A["Filter/Query Builders"] -- "Return FilterClause with variables" --> B["FilterClause Type"]
B -- "Contains clause string and variable array" --> C["Query Builder"]
C -- "Extracts variables into params object" --> D["GraphQL Query"]
D -- "Sends query with separate variables" --> E["URQL Client"]
E -- "Prevents injection attacks" --> F["Security Fix"]
File Changes1. workspaces/orchestrator/plugins/orchestrator-backend/src/types/filterClause.ts
|
Code Review by Qodo
|
|
| let formattedValue: any; | ||
| let paramType: string; | ||
| if (Array.isArray(binaryFilter.value)) { | ||
| formattedValue = binaryFilter.value.map(v => | ||
| formatValue(binaryFilter.field, v, fieldDef, type), | ||
| ); | ||
| paramType = isEnumFilter(binaryFilter.field, type) | ||
| ? '[ProcessInstanceState!]' | ||
| : '[String!]'; | ||
| } else { | ||
| formattedValue = formatValue( | ||
| binaryFilter.field, | ||
| binaryFilter.value, | ||
| fieldDef, | ||
| type, | ||
| ); | ||
| paramType = 'String'; | ||
| } | ||
|
|
||
| const clauseVariableName = `clauseVariable${nonSecureRandomAlphaNumeric()}`; | ||
| const clause = `${binaryFilter.field}: {${getGraphQLOperator(binaryFilter.operator)}: $${clauseVariableName}}`; | ||
| const filterClauseVariable: FilterClauseVariable = { |
There was a problem hiding this comment.
1. Enum variable type wrong 🐞 Bug ≡ Correctness
handleBinaryOperator sets the GraphQL variable type to "String" for scalar filters even when filtering the enum field "state". This can produce an invalid GraphQL operation (variable typed String used where ProcessInstanceState is expected), breaking fetchInstances() when filtering by state with EQ/LIKE/etc.
Agent Prompt
### Issue description
`handleBinaryOperator` generates GraphQL variable definitions for filter values. For the enum field `state`, scalar filters currently declare the variable as `String`, while array filters declare `[ProcessInstanceState!]`. This inconsistency can cause GraphQL validation errors because a variable declared as `String` may not be usable where an enum type is expected.
### Issue Context
- `isEnumFilter()` flags `ProcessInstance.state` as an enum field.
- `handleBinaryOperator()` currently sets `paramType = 'String'` for all scalar values.
### Fix Focus Areas
- workspaces/orchestrator/plugins/orchestrator-backend/src/helpers/filterBuilder.ts[183-212]
### Suggested fix
- When `isEnumFilter(binaryFilter.field, type)` is true and `binaryFilter.value` is not an array, set `paramType` to `ProcessInstanceState` (or the schema’s correct enum input type) instead of `String`.
- Consider centralizing the mapping from fieldDef/type -> GraphQL variable type so scalar/array cases stay consistent (e.g., `ProcessInstanceState` vs `[ProcessInstanceState!]`).
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



fix: Update grapql client
Filters, pagination and queries now use query variables
fixes CVE-2026-3118 and relates to JIRA https://redhat.atlassian.net/browse/RHIDP-12388 and https://redhat.atlassian.net/browse/RHIDP-12583
Hey, I just made a Pull Request!
✔️ Checklist