Skip to content

When we see that @provides specifies an overridden field, remove it from the field selection. #3191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

whitespace

547a3fa
Select commit
Loading
Failed to load commit list.
Open

When we see that @provides specifies an overridden field, remove it from the field selection. #3191

whitespace
547a3fa
Select commit
Loading
Failed to load commit list.
Apollo SecOps / Static App Security Check completed Jan 24, 2025 in 37s

Static App Security Check

🟡 Potential Security Issues Found

If you are seeing this message, it means that the security scanning tool that Apollo uses to test our source has identified a potential security issue in code introduced or updated via your branch. Information about what was detected and steps to move forward are below.

If the scanner detected a legitimate issue, please take action to correct it prior to merging this PR. The action required will vary based on the detection. If the detection is a false positive, please follow the steps below to resolve the issue.

Issues Detected

Message Caused CI Failure? Link Path Signature
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. No Link composition-js/src/merging/merge.ts rules.providers.gitlab.security.eslint.detect-object-injection
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution. No Link composition-js/src/merging/merge.ts rules.providers.gitlab.security.eslint.detect-object-injection

False Positive Resolution Process

The easiest way to resolve a false positive is to add a comment containing nosemgrep to the code that triggered the detection. You can add the comment directly to the line triggering the detection or on the line immediately above it. For example:

#!/usr/bin/env python3

def my_function():
    my_code_generating_detection() # nosemgrep

What if I can't add a line comment?

If you can't add a comment because the detection is generated by a file that does not support comments (like JSON), you can use Semgrep's .semgrepignore file. For more information about how to create an exclusion via .semgrepignore, refer to the Semgrep documentation.

Getting Help

The Apollo Security team is available to assist in resolving this issue. Please tag us on this PR using @apollographql/security if you need assistance!

How do I know I fixed this correctly?

 You will need to resolve all items in the table above that "Caused CI Failure" prior to merging. Once you have, this check will stop reporting an ❌. We encourage you to resolve issues that aren't causing CI failures as well, but it is not required to merge.

Annotations

Check warning on line 2124 in composition-js/src/merging/merge.ts

See this annotation in the file changed.

@apollo-secops apollo-secops / Static App Security Check

rules.providers.gitlab.security.eslint.detect-object-injection 

Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.

Check warning on line 2134 in composition-js/src/merging/merge.ts

See this annotation in the file changed.

@apollo-secops apollo-secops / Static App Security Check

rules.providers.gitlab.security.eslint.detect-object-injection 

Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.
View more details on Apollo SecOps