Add new Cop enforce object_from_id expected_type

To avoid possible security issues we need to enforce the usage of the
`expected_type` parameter whenever possible when converting a GID string
into an object.

.rubocop.yml

@@ -362,6 +362,15 @@ Graphql/AuthorizeTypes:
     - 'spec/**/*.rb'
     - 'ee/spec/**/*.rb'
 
+Graphql/GIDExpectedType:
+  Enabled: true
+  Include:
+    - 'app/graphql/**/*'
+    - 'ee/app/graphql/**/*'
+  Exclude:
+    - 'spec/**/*.rb'
+    - 'ee/spec/**/*.rb'
+
 Graphql/JSONType:
   Enabled: true
   Include:

rubocop/cop/graphql/gid_expected_type.rb

+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Graphql
+      class GIDExpectedType < RuboCop::Cop::Cop
+        MSG = 'Add an expected_type parameter to #object_from_id calls if possible.'
+
+        def_node_search :id_from_object?, <<~PATTERN
+          (send ... :object_from_id (...))
+        PATTERN
+
+        def on_send(node)
+          return unless id_from_object?(node)
+
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

spec/rubocop/cop/graphql/gid_expected_type_spec.rb

+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rubocop'
+
+require_relative '../../../../rubocop/cop/graphql/gid_expected_type'
+
+RSpec.describe RuboCop::Cop::Graphql::GIDExpectedType, type: :rubocop do
+  include CopHelper
+
+  subject(:cop) { described_class.new }
+
+  it 'adds an offense when there is no expected_type parameter' do
+    inspect_source(<<~TYPE)
+      GitlabSchema.object_from_id(received_id)
+    TYPE
+
+    expect(cop.offenses.size).to eq 1
+  end
+
+  it 'does not add an offense for calls that have an expected_type parameter' do
+    expect_no_offenses(<<~TYPE.strip)
+      GitlabSchema.object_from_id("some_id", expected_type: SomeClass)
+    TYPE
+  end
+end