csharpsi / gremlin.net.extensions Goto Github PK

Hello, there!

As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.

Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu

Thanks in advance

1. The workflow pull_request.yml is referencing action gittools/actions/gitversion/setup using references v0.9.2. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
2. The workflow pull_request.yml is referencing action gittools/actions/gitversion/execute using references v0.9.2. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
3. The workflow release.yml is referencing action gittools/actions/gitversion/setup using references v0.9.2. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
4. The workflow release.yml is referencing action gittools/actions/gitversion/execute using references v0.9.2. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.

The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.

If you end up updating the reference, please let us know. We need the stats for the paper :-)

The following query fails compilation in Cosmos DB, as described in Azure/azure-cosmos-dotnet-v2#511:

var query = g.V().Where(__.In().Count().Is(1)).ToGremlinQuery(); // evaluates to "{g.V().where(in().count().is(1))}"
var result = await gremlinClient.SubmitAsync<dynamic>(query);

// throws
Gremlin.Net.Driver.Exceptions.ResponseException: 'ScriptEvaluationError: 

ActivityId : 1031492a-c72f-4ddb-922c-91f78565a907
ExceptionType : GraphSyntaxException
ExceptionMessage :
	Gremlin Query Syntax Error: Script compile error: Missing ')' @ line 1, column 12.
Source : Microsoft.Azure.Cosmos.Gremlin.Core
	GremlinRequestId : 1031492a-c72f-4ddb-922c-91f78565a907
	Context : graphcompute
	Scope : graphparse-translate-outer
	GraphInterOpStatusCode : QuerySyntaxError
	HResult : 0x80131500

I suppose a simple fix would be to always append __. before appending the inner query when the first argument is In or Out somewhere in or around this code block:

Currently, a new package version will be published to nuget.org whenever any commit drops onto master. This should be changed to use releases instead.

GremlinQuery.ToString() - returns only the stringBuilder value without appending the arguments.
the current behavior:
for a graph traversal in this structure: g.V().Has("key", "keyValue"')
the GraphTraversalExtensions.ToGremlinQuery will return queryBuilder with stringBuilder : g.V().has('key', key), and arguments: { key: keyValue }
I expected the GremlinQuery.ToString() to return: g.V().has('key', 'keyValue'), instead of it returns: g.V().has('key', key)

looking at the GremlinQuery class - it has a constractor gets 2 arguments: string builder, and dictionary of arguments
GremlinQuery(StringBuilder queryBuilder, Dictionary<string, object> arguments)
there is no useage in the arguments dictionary in GremlinQuery at all.
More then that - I expected the ToString function to return a string with the arguments inside it. but instead - I get only the string builder string without any manipulation on the string

Thanks for this library, it's great help!

As in the subject, when I use .Coalesce it seems it renders to the querystring only the first traversal? Not sure what I am doing wrong could you maybe try to reproduce it in a unit test case?

Thanks,

Leon

var query = g.V().Has("prop", true).ToGremlinQuery();
await gremlinClient.SubmitAsync<dynamic>(query);

throws

Gremlin.Net.Driver.Exceptions.ResponseException: 'ScriptEvaluationError: 

ActivityId : a9f26f87-0c55-45df-965d-34efe446273b
ExceptionType : GraphCompileException
ExceptionMessage :
	Gremlin Query Compilation Error: Unable to resolve symbol 'True' in the current context. @ line 1, column 19.
	1 Error(s)
Source : Microsoft.Azure.Cosmos.Gremlin.Core
	GremlinRequestId : a9f26f87-0c55-45df-965d-34efe446273b
	Context : graphcompute
	Scope : graphparse-translate-validatesymbolresolution
	GraphInterOpStatusCode : QuerySyntaxError
	HResult : 0x80131500
'

When assigning a cardinality to a property via:
vertex.Property(Cardinality.Single, "item_id", item_id);
Error returned as:
Microsoft.CSharp.RuntimeBinder.RuntimeBinderException: Cannot convert type 'Gremlin.Net.Process.Traversal.Cardinality' to 'string'

Proposed API:

Given the type:

public class Customer
{
    public Guid Id { get; set; }
    public string Name { get; set; }

    public Customer(string name) => (Id, Name) = (Guid.NewGuid(), name);
}

When the below query is created

var customer = new Customer("John");

g.AddV(nameof(Customer)).SetProperties(customer);

The underlying gremlin should look like this (note the named arguments - this is vital in order to avoid injection)

g.addV('Customer').property('id', '1af073e7-293d-4ae3-a96d-fd31fb71c09b').property('Name', name)

With a returned arguments dictionary that contains a key name and a value John

Given this class that maps to a vertex

	class Organization 
	{
		public Guid Id { get; set; }
		public string Name { get; set; }
		public int ZipCode { get; set; }
	}

this query works
g.V().HasLabel(nameof(Organization)).Has(nameof(Organization.Name).ToLower(), "abc")
But this does not:
g.V().Has(nameof(Organization), nameof(Organization.Name).ToLower(), "abc")
This query also works:
g.V().Has(nameof(Organization.Name).ToLower(), name)
Furthermore I wish the syntax can be simplified like this:
g.V().HasLabel<Organization>().Has(i => i.Name == "abc")
or even this:
g.V().Has<Organization>(i => i.Name == "abc")

Only happy path is covered by unit tests at the moment