This repository has been archived by the owner on Sep 25, 2023. It is now read-only.
fix(deps): update dependency @apollo/server to v4.7.4 [security] #519
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-@apollo/server-vulnerability
branch
from
3c676e5
to
c417431
Compare
ChrisW-B
approved these changes
Jun 30, 2023
ChrisW-B
approved these changes
Jun 30, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.7.1->4.7.4GitHub Vulnerability Alerts
GHSA-68jh-rf6x-836f
Context
Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.
Impact
There aren't any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven't been reported and patched, then all users of Apollo Server's landing pages have a vulnerability which won't be prevented by the current CSP implemented by the landing pages.
Prior to version 4.7.1, there was no CSP implemented at all. However, the initial CSP implementation (4.7.1+) reused nonces. While this sufficiently resolved the issue w.r.t. scripts not running in Safari, it did not implement CSP in a safe or conventional way.
Patches
The issue is patched in the latest version of Apollo Server, v4.7.4. The changes can be reviewed in the merge commit.
Workarounds
The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page
References
https://content-security-policy.com/nonce/
Release Notes
apollographql/apollo-server
v4.7.4Compare Source
Patch Changes
0adaf80d1Thanks @trevor-scheer! - Address Content Security Policy issuesThe previous implementation of CSP nonces within the landing pages did not take full advantage of the security benefit of using them. Nonces should only be used once per request, whereas Apollo Server was generating one nonce and reusing it for the lifetime of the instance. The reuse of nonces degrades the security benefit of using them but does not pose a security risk on its own. The CSP provides a defense-in-depth measure against a potential XSS, so in the absence of a known XSS vulnerability there is likely no risk to the user.
The mentioned fix also coincidentally addresses an issue with using crypto functions on startup within Cloudflare Workers. Crypto functions are now called during requests only, which resolves the error that Cloudflare Workers were facing. A recent change introduced a
precomputedNonceconfiguration option to mitigate this issue, but it was an incorrect approach given the nature of CSP nonces. This configuration option is now deprecated and should not be used for any reason since it suffers from the previously mentioned issue of reusing nonces.Additionally, this change adds other applicable CSPs for the scripts, styles, images, manifest, and iframes that the landing pages load.
A final consequence of this change is an extension of the
renderLandingPageplugin hook. This hook can now return an object with anhtmlproperty which returns aPromise<string>in addition to astring(which was the only option before).v4.7.3Compare Source
Patch Changes
#7601
75b668d9eThanks @trevor-scheer! - Provide a new configuration option for landing page pluginsprecomputedNoncewhich allows users to provide a nonce and avoid calling intouuidfunctions on startup. This is useful for Cloudflare Workers where random number generation is not available on startup (only during requests). Unless you are using Cloudflare Workers, you can ignore this change.The example below assumes you've provided a
PRECOMPUTED_NONCEvariable in yourwrangler.tomlfile.Example usage:
v4.7.2Compare Source
Patch Changes
c3f04d050Thanks @trevor-scheer! - Update@apollo/utils.usagereportingdependency. Previously, installing@apollo/gatewayand@apollo/servercould result in duplicate / differently versioned installs of@apollo/usage-reporting-protobuf. This is because the@apollo/server-gateway-interfacepackage was updated to use the latest protobuf, but the@apollo/utils.usagereportingpackage was not. After this change, users should always end up with a single install of the protobuf package when installing both@apollo/serverand@apollo/gatewaylatest versions.Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.