Infinite loop with referential input objects and argument authorization

[benhutton]

Say you have a pair of input objects that reference each other as arguments:

class A < GraphQL::Schema::InputObject
  argument :b, 'B', required: false
end

class B < GraphQL::Schema::InputObject
  argument :a, 'A', required: false
end

We have a number of sets of looping input objects. Sometime pairs. Sometimes groups of three: A refers to B and C. B refers to A and C. C refers to A and B.

We see an infinite loop looking like this:

     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:100:in `block in authorized?'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `each'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `authorized?'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:100:in `block in authorized?'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `each'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `authorized?'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:100:in `block in authorized?'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `each'
     # /Users/joe/.rvm/gems/ruby-2.6.5/gems/graphql-1.9.14/lib/graphql/schema/argument.rb:99:in `authorized?'

We believe this is caused by the changes here: 961cb86#diff-5e2d79f8b98d655ddf9d2469210c729d

[rmosolgo]

Thanks for the detailed report! You can see I got as far as self-referencing input objects, but not multi-step cycles. On 1.10-dev, argument values are passed along through authorization, so we check for nil, and stop authorizing in that case. I think that would address this problem, since even if the the schema is recursive, the actual input value must be finite.

Want to try 1.10.0.pre1? There are some significant changes, which you can see in the changelog: https://github.com/rmosolgo/graphql-ruby/blob/1.10-dev/CHANGELOG.md#1100pre1-10-oct-2019

If that doesn't work, you could also override the changes in that commit in your base InputObject class, eg

class Types::BaseInputObject < GraphQL::Schema::InputObject 
  def self.authorized?(*)
    true 
  end 
end 

Alternatively, if you can imagine some reasonable solution to this issue which works without the changes in 1.10, I'm all ears!

[benhutton]

@rmosolgo 1.10.0.pre1 does indeed fix our problem! Any eta on 1.10.0 would be released?

[rmosolgo]

I have a checklist, but not a date: #2100

There's still a lot to do 😅

But GitHub is running on 1.10-dev, so you can consider it pretty stable!

[jaycetde]

I didn't have luck overriding the authorized? method as it is above. Instead, this worked:

class BaseInputObjectArgument < GraphQL::Schema::Argument
  def authorized?(*)
    true
  end
end

class BaseInput < GraphQL::Schema::InputObject
  argument_class BaseInputObjectArgument
end