This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
chore(deps): update dependency apollo-server to v2.25.4 [security] #1098
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.21.0
->2.25.4
GitHub Vulnerability Alerts
GHSA-qm7x-rc44-rrqw
Impact
In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting vulnerability in GraphQL Playground that allows for arbitrary JavaScript code execution in your web server's origin. If a user clicks a specially crafted link to your GraphQL Playground page served by Apollo Server, an attacker can steal cookies and other private browser data.
Details of the underlying GraphQL Playground vulnerability are available in this
graphql-playground
advisory. (A similar vulnerability exists in the relatedgraphiql
project.) This advisory focuses on identifying whether Apollo Server installations are vulnerable and mitigating the vulnerability in Apollo Server; see the other advisories for details on the XSS vulnerability itself.The impact of this vulnerability is more severe if (as is common) your GraphQL server's origin URL is an origin that is used to store sensitive data such as cookies.
In order for this vulnerability to affect your Apollo Server installation, it must actually serve GraphQL Playground. The integration between Apollo Server and GraphQL Playground is different in Apollo Server 2 and Apollo Server 3. You can tell which version of Apollo Server you are running by looking at the version of the package from which you import the
ApolloServer
class: this may beapollo-server
,apollo-server-express
,apollo-server-lambda
, etc.Apollo Server 3
Apollo Server 3 does not serve GraphQL Playground by default. It has a landing page plugin system and the default plugin is a simple splash page that is not vulnerable to this exploit, linking to Apollo Sandbox Explorer. (We chose to change the default because GraphQL Playground is not actively maintained.)
If you are running Apollo Server 3, then you are only vulnerable if you explicitly import the
ApolloServerPluginLandingPageGraphQLPlayground
plugin and pass it to yourApolloServer
's constructor in theplugins
array. Otherwise, this advisory does not apply to your server.Apollo Server 2
Apollo Server 2 serves GraphQL Playground by default, unless the
NODE_ENV
environment variable is set toproduction
, or if you explicitly configure it via theplayground
option to theApolloServer
constructor.Your Apollo Server 2 installation is vulnerable if any of the following is true:
playground: true
to theApolloServer
constructorplayground: {title: "Title"}
to theApolloServer
constructorplayground
option to theApolloServer
constructor, and theNODE_ENV
environment variable is not set toproduction
Apollo Server 1
Apollo Server 1 included
graphiql
instead ofgraphql-playground
.graphiql
isn't automatically enabled in Apollo Server 1: you have to explicitly call a function such asgraphiqlExpress
to enable it. Because Apollo Server 1 is not commonly used, we have not done a detailed examination of whether the integration between Apollo Server 1 andgraphiql
is vulnerable to a similar exploit. If you are still using Apollo Server 1, we recommend you disablegraphiql
by removing thegraphiqlExpress
call, and then upgrade to a newer version of Apollo Server.Patches and workarounds
There are several approaches you can take to ensure that your server is not vulnerable to this issue.
Upgrade Apollo Server
The vulnerability has been patched in Apollo Server 2.25.3 and Apollo Server 3.4.1. To get the patch, upgrade your Apollo Server entry point package to one of the fixed versions; this package may be
apollo-server
,apollo-server-express
,apollo-server-lambda
, etc. Additionally, if you depend directly onapollo-server-core
in yourpackage.json
, make sure that you upgrade it to the same version.Upgrade Playground version only
If upgrading to the latest version of Apollo Server 2 or 3 quickly will be challenging, you can configure your current version of Apollo Server to serve the latest version of the GraphQL Playground app. This will pin your app to serve a specific version of GraphQL Playground and you will not receive updates to it when you upgrade Apollo Server later, but this may be acceptable because GraphQL Playground is not actively maintained.
The way to do this depends on what version of Apollo Server you're using and if you're already configuring GraphQL Playground.
ApolloServerPluginLandingPageGraphQLPlayground
and passes it to the Apollo Server constructor in theplugins
array. Add the optionversion: '1.7.42'
to this call, so it looks like:playground
option: If you are using Apollo Server 2 and do not currently pass theplayground
option tonew ApolloServer
, add aplayground
option like so:playground: true
orplayground: {x, y, z}
: If you are using Apollo Server 2 and currently passtrue
or an object tonew ApolloServer
, pass theversion
option under theplayground
option like so:Disable GraphQL Playground
If upgrading Apollo Server or GraphQL Playground is challenging, you can also disable GraphQL Playground.
In Apollo Server 3, remove the call to
ApolloServerPluginLandingPageGraphQLPlayground
from yourApolloServer
constructor'splugins
array. This will replace GraphQL Playground with a simple splash page. See the landing page plugins docs for details.In Apollo Server 2, add
playground: false
to yourApolloServer
constructor:new ApolloServer({ playground: false })
. This will replace GraphQL Playground with an attempt to execute a GraphQL operation, which will likely display an error in the browser.If you disable GraphQL Playground, any users who rely on it to execute GraphQL operations will need an alternative, such as the Apollo Studio Explorer's account-free Sandbox.
Credit
This vulnerability was discovered by @Ry0taK. Thank you!
The fix to GraphQL Playground was developed by @acao and @glasser with help from @imolorhe, @divyenduz, and @benjie.
For more information
If you have any questions or comments about this advisory:
graphql-playground
advisoryapollo-server
repoGHSA-2p3c-p3qw-69r4
Impact
The graphql-upload npm package can execute GraphQL operations contained in
content-type: multipart/form-data
POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they usecontent-type: multipart/form-data
, they can be "simple requests" which are not preflighted by browsers.If your GraphQL server uses
graphql-upload
and usesSameSite=None
cookies for authentication, then JS on any origin can cause browsers to send cookie-authenticated mutations to your GraphQL server, which will be executed without checking your CORS policy first. (The attack won't be able to see the response to the mutation if your CORS policy is set up properly, but the side effects of the mutation will still happen.)Additionally, if your GraphQL server uses
graphql-upload
relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a private network), then JS on any origin can cause browsers (which may be on a private network or have an allowed IP address) to send mutations to your GraphQL server, which will be executed without checking your CORS policy first. (This attack does not require your server to use cookies. It is in some cases prevented by some browsers such as Chrome.)Apollo Server 2 bundled
graphql-upload
and enabled it by default, so by default, Apollo Server 2 servers are vulnerable to these CSRF attacks. (Apollo Server 1 did not bundlegraphql-upload
. Apollo Server 3 no longer bundlesgraphql-upload
, although AS3's docs do document how to manually integrate withgraphql-upload
.) It is enabled even if your server makes no use of the upload functionality.If you are running Apollo Server 2 (older than v2.25.4) and do not specify
uploads: false
tonew ApolloServer
, then you are vulnerable to this CSRF mutation attack.We recently introduced an opt-in CSRF prevention feature in Apollo Server 3.7. This feature successfully protects against CSRF even if you have manually integrated your AS3.7 server with
graphql-upload
. However, this feature is not available for Apollo Server 2.Patches
If you are using Apollo Server 2 and do not actually use uploads in your schema (ie, the
Upload
scalar is not used as the argument to any field or in any input object definition, and you do not specifyuploads
tonew ApolloServer
), then upgrading to Apollo Server 2.25.4 will automatically disablegraphql-upload
in your server. This will fix the CSRF mutation vulnerability.Upgrading to v2.25.4 does still leave your server vulnerable to non-mutation CSRF attacks such as timing attacks against query operations. To protect yourself against these potentially lower impact CSRF attack, we encourage upgrading to Apollo Server v3.7 and enabling CSRF prevention. See the Apollo Server 3 migration guide and the CSRF prevention docs for details.
If you are actively using the uploads feature with Apollo Server 2, then upgrading to v2.25.4 will not disable the feature and you will still be vulnerable. You should instead upgrade to v3.7 and enable the CSRF prevention feature.
If you are manually integrating the
graphql-upload
package with any version of Apollo Server (or any Node GraphQL server) and need to continue using the feature, then you must enable some sort of CSRF prevention feature to fix this vulnerability. We recommend the CSRF prevention feature in Apollo Server 3.7.Workarounds
Instead of upgrading your Apollo Server 2 server, you can specify
uploads: false
tonew ApolloServer
to disable thegraphql-upload
integration and protect against CSRF mutations. (Only do this if you do not actually use the uploads feature in your server!) This will still leave your server vulnerable to non-mutation CSRF attacks such as timing attacks against query operations; you need to upgrade to v3.7 and enable CSRF prevention to protect against these attacks.Related work
Release Notes
apollographql/apollo-server
v2.25.4
Compare Source
v2.25.3
Compare Source
v2.25.2
Compare Source
v2.25.1
Compare Source
v2.25.0
Compare Source
v2.24.1
Compare Source
v2.24.0
Compare Source
v2.23.0
Compare Source
v2.22.2
Compare Source
v2.22.1
Compare Source
v2.22.0
Compare Source
v2.21.2
Compare Source
v2.21.1
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.