Update dependency graphql-playground-html to 1.6.22 [SECURITY] - abandoned #25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.6.0
->1.6.22
GitHub Vulnerability Alerts
CVE-2020-4038
Impact
directly impacted:
graphql-playground-html@<1.6.22
- all unsanitized user input forrenderPlaygroundPage()
all of our consuming packages of
graphql-playground-html
are impacted:graphql-playground-middleware-express@<1.7.16
- unsanitized user input toexpressPlayground()
graphql-playground-middleware-koa@<1.6.15
- unsanitized user input tokoaPlayground()
graphql-playground-middleware-lambda@<1.7.17
- unsanitized user input tolambdaPlayground()
graphql-playground-middleware-hapi@<1.6.13
- unsanitized user input tohapiPlayground()
as well as any other packages that use these methods with unsanitized user input.
not impacted:
graphql-playground-electron
- usesrenderPlaygroundPage()
statically for a webpack build for electron bundle, no dynamic user inputgraphql-playground-react
- usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo inpublic/
contains the vulnerability, because it uses an old version of the html pacakge.Patches
upgrading to the above mentioned versions will solve the issue.
If you're using
graphql-playground-html
directly, then:or
Then, similar steps need to be taken for each middleware:
Workarounds
Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:
for example, with
graphql-playground-html
and express:or, with
graphql-playground-express
:References
Credits
Masato Kinugawa of Cure53
For more information
If you have any questions or comments about this advisory:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.