-
Fixed code injection vulnerability in generated JSDoc comments (CWE-94) — GraphQL type/field descriptions containing
*/could break out of JSDoc comments and inject arbitrary TypeScript into the generated client. When a consumer imports or bundles the generated code, the injected statements execute. Any*/in schema-derived text is now escaped to*\/before interpolation into JSDoc blocks.This affects any pipeline that calls
generate()with a schema obtained from an untrusted source (typosquatted endpoints, compromised GraphQL servers, multi-tenant platforms where users can edit type descriptions).Thanks to Hamza Haroon for the responsible disclosure. See #197.
remorses/genql
@genql/cli@6.3.4
on GitHub
8 hours ago