JS: Add test case for GraphQLObjectType

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js

@@ -1,5 +1,5 @@
 const express = require('express');
-const { graphql, buildSchema } = require('graphql');
+const { graphql, buildSchema, GraphQLObjectType, GraphQLString } = require('graphql');
 
 const app = express();
 app.use(express.json());
@@ -53,4 +53,30 @@ app.post('/graphql', async (req, res) => {
     rootValue: root1,
     variableValues: variables
   });
+
+  const MutationType = new GraphQLObjectType({
+    name: 'Mutation',
+    fields: {
+      runEval: {
+        type: GraphQLString,
+        args: {
+          value: { type: GraphQLString }
+        },
+        resolve: (_, { value }, context) => { // $ MISSING: Source[js/code-injection]
+          return eval(value); // $ MISSING: Alert[js/code-injection]
+        }
+      }
+    }
+  });
+  
+  const schema = new GraphQLSchema({
+    query: QueryType,
+    mutation: MutationType
+  });
+
+  await graphql({
+    schema,
+    source: query,
+    variableValues: variables
+  });
 });