Update dependency apollo-server-express to v2.14.2 [SECURITY] #25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.7.2
->2.14.2
GitHub Vulnerability Alerts
GHSA-w42g-7vfc-xf37
We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.
Impact
If
subscriptions: false
is passed to theApolloServer
constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. Ifintrospection: true
is passed to theApolloServer
constructor options, the impact is limited to user-provided validation rules (i.e., usingvalidationRules
) since there would be no expectation that introspection was disabled.The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.
In cases where
subscriptions: false
is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to theSubscriptionServer.create
invocation (seen here, prior to the patch).The omitted validation rules for the subscription server include any
validationRules
passed by implementors to theApolloServer
constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internalNoIntrospection
validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that theSubscriptionServer
creates even though it was not possible on other transports (e.g. HTTP).The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.
Affected packages
The bug existed in
apollo-server-core
versions prior to version 2.14.2, however, this means all integration packages (e.g.,apollo-server-express
, etc.) prior to version 2.14.2 which depend onapollo-server-core
for their subscriptions support are affected. This includes theapollo-server
package that automatically provides an Express server.Therefore, for officially published Apollo Server packages, the full list of affected packages includes:
apollo-server
,apollo-server-azure-functions
,apollo-server-cache-memcached
,apollo-server-core
,apollo-server-cloud-functions
,apollo-server-cloudflare
,apollo-server-express
,apollo-server-fastify
,apollo-server-hapi
,apollo-server-koa
,apollo-server-lambda
, andapollo-server-micro
.Resolution
The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g.,
apollo-server-express
) and theapollo-server-core
package are both updated to the patched versions. (The version numbers should both be 2.14.2.)Workarounds
Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with
subscriptions: false
to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:For more information
If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.
Credit and appreciation
Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.
Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.
Release Notes
apollographql/apollo-server (apollo-server-express)
v2.14.2
Compare Source
v2.14.1
Compare Source
v2.14.0
Compare Source
v2.13.1
Compare Source
v2.13.0
Compare Source
v2.12.0
Compare Source
v2.11.0
Compare Source
v2.10.1
Compare Source
v2.10.0
Compare Source
v2.9.16
Compare Source
v2.9.15
Compare Source
v2.9.14
Compare Source
v2.9.13
Compare Source
v2.9.12
Compare Source
v2.9.11
Compare Source
v2.9.10
Compare Source
v2.9.9
Compare Source
v2.9.8
Compare Source
v2.9.7
Compare Source
v2.9.6
Compare Source
v2.9.5
Compare Source
v2.9.4
Compare Source
v2.9.3
Compare Source
v2.9.2
Compare Source
v2.9.1
Compare Source
v2.9.0
Compare Source
v2.8.2
Compare Source
v2.8.1
Compare Source
v2.8.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.