·
3 commits
to master
since this release
-
Fixed code injection vulnerability in generated JSDoc comments (CWE-94) — GraphQL type/field descriptions containing
*/could break out of JSDoc comments and inject arbitrary TypeScript into the generated client. When a consumer imports or bundles the generated code, the injected statements execute. Any*/in schema-derived text is now escaped to*\/before interpolation into JSDoc blocks.This affects any pipeline that calls
generate()with a schema obtained from an untrusted source (typosquatted endpoints, compromised GraphQL servers, multi-tenant platforms where users can edit type descriptions).Thanks to Hamza Haroon for the responsible disclosure. See #197.