This repository has been archived by the owner on Sep 20, 2023. It is now read-only.
Update dependency apollo-server-express to v2.14.2 [SECURITY] #4630
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.12.0
->2.14.2
GitHub Vulnerability Alerts
GHSA-w42g-7vfc-xf37
We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.
Impact
If
subscriptions: false
is passed to theApolloServer
constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. Ifintrospection: true
is passed to theApolloServer
constructor options, the impact is limited to user-provided validation rules (i.e., usingvalidationRules
) since there would be no expectation that introspection was disabled.The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.
In cases where
subscriptions: false
is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to theSubscriptionServer.create
invocation (seen here, prior to the patch).The omitted validation rules for the subscription server include any
validationRules
passed by implementors to theApolloServer
constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internalNoIntrospection
validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that theSubscriptionServer
creates even though it was not possible on other transports (e.g. HTTP).The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.
Affected packages
The bug existed in
apollo-server-core
versions prior to version 2.14.2, however, this means all integration packages (e.g.,apollo-server-express
, etc.) prior to version 2.14.2 which depend onapollo-server-core
for their subscriptions support are affected. This includes theapollo-server
package that automatically provides an Express server.Therefore, for officially published Apollo Server packages, the full list of affected packages includes:
apollo-server
,apollo-server-azure-functions
,apollo-server-cache-memcached
,apollo-server-core
,apollo-server-cloud-functions
,apollo-server-cloudflare
,apollo-server-express
,apollo-server-fastify
,apollo-server-hapi
,apollo-server-koa
,apollo-server-lambda
, andapollo-server-micro
.Resolution
The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g.,
apollo-server-express
) and theapollo-server-core
package are both updated to the patched versions. (The version numbers should both be 2.14.2.)Workarounds
Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with
subscriptions: false
to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:For more information
If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.
Credit and appreciation
Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.
Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.
Release Notes
apollographql/apollo-server
v2.14.2
Compare Source
v2.14.1
Compare Source
apollo-server-testing
: Ensure that user-provided context is cloned when usingcreateTestClient
, per the instructions in the integration testing section of the Apollo Server documentation. Issue #4170 PR #4175v2.14.0
Compare Source
apollo-server-core
/apollo-server-plugin-base
: Add support forwillResolveField
and corresponding end-handler withinexecutionDidStart
. This brings the remaining bit of functionality that was previously only available fromgraphql-extensions
to the new plugin API. Thegraphql-extensions
API (which was never documented) will be deprecated in Apollo Server 3.x. To see the documentation for the request pipeline API, see its documentation. For more details, see the attached PR. PR #3988apollo-server-core
: Deprecategraphql-extensions
. All internal usages of thegraphql-extensions
API have been migrated to the request pipeline plugin API. For any implementor-suppliedextensions
, a deprecation warning will be printed once per-extension, per-server-startup, notifying of the intention to deprecate. Extensions should migrate to the plugin API, which is outlined in its documentation. PR #4135apollo-engine-reporting
: Currently only for non-federated graphs.Added an experimental schema reporting option,
experimental_schemaReporting
, for Apollo Graph Manager users. Duringthis experiment, we'd appreciate testing and feedback from current and new
users of the schema registry!
Prior to the introduction of this feature, the only way to get schemas into
the schema registry in Apollo Graph Manager was to use the CLI and run
apollo schema:push
. Apollo schema reporting protocol is a newspecification for GraphQL servers to automatically report schemas to the
Apollo Graph Manager schema registry.
To enable schema reporting, provide a Graph Manager API key (available
free from Apollo Graph Manager) in the
APOLLO_KEY
environment variable and set theexperimental_schemaReporting
option to
true
in the Apollo Server constructor options, like so:For more details on the implementation of this new protocol, see the PR which
introduced it to Apollo Server and the preview documentation.
PR #4084
apollo-engine-reporting
: The underlying integration of this plugin, which instruments and traces the graph's resolver performance and transmits these metrics to Apollo Graph Manager, has been changed from the (soon to be deprecated)graphql-extensions
API to the new request pipelineplugins
API. PR #3998This change should be purely an implementation detail for a majority of users. There are, however, some special considerations which are worth noting:
ftv1
response onextensions
(which is present on the response from an implementing service to the gateway) is now placed on theextensions
after theformatResponse
hook. Anyone leveraging theextensions
.ftv1
data from theformatResponse
hook will find that it is no longer present at that phase.apollo-tracing
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3991apollo-cache-control
: This package's internal integration with Apollo Server has been switched from using the soon-to-be-deprecatedgraphql-extensions
API to using the request pipeline plugin API. Behavior should remain otherwise the same. PR #3997v2.13.1
Compare Source
v2.13.0
Compare Source
WebSocket.Server
toApolloServer.installSubscriptionHandlers
. PR #2314apollo-server-lambda
: Support file uploads on AWS Lambda Issue #1419 Issue #1703 PR #3926apollo-engine-reporting
: Fix inadvertent conditional formatting which prevented automated persisted query (APQ) hits and misses from being reported to Apollo Graph Manager. PR #3986apollo-engine-reporting
: Deprecate theENGINE_API_KEY
environment variable in favor of its new name,APOLLO_KEY
. Continued use ofENGINE_API_KEY
will result in deprecation warnings and support for it will be removed in a future major version. #3923apollo-engine-reporting
: Deprecated theAPOLLO_SCHEMA_TAG
environment variable in favor of its new name,APOLLO_GRAPH_VARIANT
. Similarly, within theengine
configuration object, theschemaTag
property has been renamedgraphVariant
. The functionality remains otherwise unchanged, but their new names mirror the name used within Apollo Graph Manager. Continued use of the now-deprecated names will result in deprecation warnings and support will be dropped completely in the next "major" update. To avoid misconfiguration, a runtime error will be thrown if both new and deprecated names are set. PR #3855apollo-engine-reporting-protobuf
: (This is a breaking change only if you directly depend onapollo-engine-reporting-protobuf
.) Drop legacy fields that were never used byapollo-engine-reporting
. Added new fieldsStatsContext
to allowapollo-server
to send summary stats instead of full traces, and renamedFullTracesReport
toReport
andTraces
toTracesAndStats
since reports now can include stats as well as traces.Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.