Update dependency graphiql to v1 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
graphiql (source)	^0.11.2 -> ^1.0.0

GitHub Vulnerability Alerts

CVE-2021-41248

• 1. Impact
• 2. Scope
• 3. Patches
  • 3.1 CDN bundle implementations may be automatically patched
• 4. Workarounds for Older Versions
• 5. How to Re-create the Exploit
• 6. Credit
• 7. References
• 8. For more information

This is a security advisory for an XSS vulnerability in graphiql.

A similar vulnerability affects graphql-playground, a fork of graphiql. There is a corresponding graphql-playground advisory and Apollo Server advisory.

1. Impact

All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete.

In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur.

By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors.

If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL.

Because this exposes an XSS attack surface, it would be possible for a threat actor to exfiltrate user credentials, data, etc. using arbitrary malicious scripts, without it being known to the user.

2. Scope

This advisory describes the impact on the graphiql package. The vulnerability also affects other projects forked from graphiql such as graphql-playground and the graphql-playground fork distributed by Apollo Server. The impact is more severe in the graphql-playground implementations; see the graphql-playground advisory and Apollo Server advisory for details.

This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.

It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this.

3. Patches

graphiql@1.4.7 addresses this issue via defense in depth.

• HTML-escaping text that should be treated as text rather than HTML. In most of the app, this happens automatically because React escapes all interpolated text by default. However, one vulnerable component uses the unsafe innerHTML API and interpolated type names directly into HTML. We now properly escape that type name, which fixes the known vulnerability.

• Validates the schema upon receiving the introspection response or schema changes. Schemas with names that violate the GraphQL spec will no longer be loaded. (This includes preventing the Doc Explorer from loading.) This change is also sufficient to fix the known vulnerability. You can disable this validation by setting dangerouslyAssumeSchemaIsValid={true}, which means you are relying only on escaping values to protect you from this attack.

• Ensuring that user-generated HTML is safe. Schemas can contain Markdown in description and deprecationReason fields, and the web app renders them to HTML using the markdown-it library. As part of the development of graphiql@1.4.7, we verified that our use of markdown-it prevents the inclusion of arbitrary HTML. We use markdown-it without setting html: true, so we are comfortable relying on markdown-it's HTML escaping here. We considered running a second level of sanitization over all rendered Markdown using a library such as dompurify but believe that is unnecessary as markdown-it's sanitization appears to be adequate. graphiql@1.4.7 does update to the latest version of markdown-it (v12, from v10) so that any security fixes in v11 and v12 will take effect.

3.1 CDN bundle implementations may be automatically patched

Note that if your implementation is depending on a CDN version of graphiql, and is pointed to the latest tag (usually the default for most cdns if no version is specified) then this issue is already mitigated, in case you were vulnerable to it before.

4. Workarounds for Older Versions

If you cannot use graphiql@1.4.7 or later

• Always use a static URL to a trusted server that is serving a trusted GraphQL schema.

• If you have a custom implementation that allows using user-provided schema URLs via a query parameter, database value, etc, you must either disable this customization, or only allow trusted URLs.

5. How to Re-create the Exploit

You can see an example on codesandbox. These are both fixed to the last graphiql release 1.4.6 which is the last vulnerable release; however it would work with any previous release of graphiql.

Both of these examples are meant to demonstrate the phishing attack surface, so they are customized to accept a url parameter. To demonstrate the phishing attack, add ?url=https://graphql-xss-schema.netlify.app/graphql to the in-codesandbox browser.

Erase the contents of the given query and type {u. You will see an alert window open, showing that attacker-controlled code was executed.

Note that when React is in development mode, a validation exception is thrown visibly; however that exception is usually buried in the browser console in a production build of graphiql. This validation exception comes from getDiagnostics, which invokes graphql validate() which in turn will assertValidSchema(), as apollo-server-core does on executing each operation. This validation does not prevent the exploit from being successful.

Note that something like the url parameter is not required for the attack to happen if graphiql's fetcher is configured in a different way to communicate with a compromised GraphQL server.

6. Credit

This vulnerability was discovered by @​Ry0taK, thank you! 🥇

Others who contributed:

• @​imolorhe
• @​glasser
• @​divyenduz
• @​dotansimha
• @​acao
• @​benjie and many others who provided morale support

7. References

The vulnerability has always been present

In the first commit

And later moved to onHasCompletion.js in 2016 (now .ts after the typescript migration)

8. For more information

If you have any questions or comments about this advisory:

• Open an issue in graphiql repo
• Read more details on the vulnerability

---

Release Notes

graphql/graphiql

v1.4.7

Compare Source

Patch Changes

• 130ddad6 Thanks @​acao! - CRITICAL SECURITY PATCH for the GraphiQL introspection schema template injection attack

v1.4.6

Compare Source

Patch Changes

• d3a88283 #​1934 Thanks @​tonyfromundefined! - add react 17, 18 in peerDependencies

• afaa36c1 #​1883 Thanks @​Sweetabix1! - Updating font colors for line numbers, comments & brackets from #​999 to #​666 for accessibility purposes. #​666 passes AA accessibility standards for small text, with a contrast ratio of over 5:1.

• 75dbb0b1 #​1777 Thanks @​dwwoelfel! - adopt block string parsing for variables in language parser

• Updated dependencies [0e2c1a02, 75dbb0b1]:

  • graphql-language-service@3.1.6
  • codemirror-graphql@1.0.3

v1.4.5

Compare Source

Patch Changes

• 86795d5f Thanks @​acao! - Remove bad type definition from subscriptions-transport-ws #​1992 closes #​1989

• Updated dependencies [86795d5f]:

  • @​graphiql/toolkit@​0.3.2

v1.4.4

Compare Source

Patch Changes

• 62e786b5 #​1990 Thanks @​acao! - Remove type definition from subscriptions-transport-ws

• Updated dependencies [62e786b5]:

  • @​graphiql/toolkit@​0.3.1

v1.4.3

Compare Source

Patch Changes

• 6a459f4c #​1968 Thanks @​acao! - Remove optionalDependencies entirely, remove subscriptions-transport-ws which introduces vulnerabilities, upgrade @n1ru4l/push-pull-async-iterable-iterator to 3.0.0, upgrade graphql-ws several minor versions - the graphql-ws@5.x upgrade will come in a later minor release.

• eb2d91fa #​1914 Thanks @​harshithpabbati! - fix: history can now be saved even when query history panel is not opened
  feat: create a new maxHistoryLength prop to allow more than 20 queries in history panel

• 04fad79c #​1889 Thanks @​henryqdineen! - feat: export ToolbarSelectOption and ToolbarMenuItem

• cd685435 #​1923 Thanks @​cgarnier! - Fix result window theme

• Updated dependencies [6a459f4c, 2fd5bf72]:

  • @​graphiql/toolkit@​0.3.0
  • graphql-language-service@3.1.5

v1.4.2

Patch Changes

• 5b8a057d #​1838 Thanks @​acao! - Set all cross-runtime build targets to es6

v1.4.1

Patch Changes

• 9f8c78ce #​1821 Thanks @​harshithpabbati! - fix: render query history panel only when it's toggled, instead of hiding with CSS

• dd9397e4 #​1819 Thanks @​acao! - GraphiQL.createClient() accepts custom legacyClient, exports typescript types, fixes #​1800.

  createGraphiQLFetcher now only attempts an graphql-ws connection when only subscriptionUrl is provided. In order to use graphql-transport-ws, you'll need to provide the legacyClient option only, and no subscriptionUrl or wsClient option.

• 1f92d1dc #​1804 Thanks @​maraisr! - Fixes issue where with IncrementalDelivery directives objects wouldn't deep-merge.

• 6869ce77 #​1816 Thanks @​acao! - improve peer resolutions for graphql 14 & 15. 14.5.0 minimum is for built-in typescript types, and another method only available in 14.4.0

• Updated dependencies [dd9397e4, 6869ce77]:

  • @​graphiql/toolkit@​0.2.0

v1.4.0

Patch Changes

• Updated dependencies
  [b4fc16c0]:
  • codemirror-graphql@1.0.0

v1.3.2

Compare Source

Note: Version bump only for package graphiql

v1.3.1

Compare Source

Note: Version bump only for package graphiql

v1.3.0

Compare Source

Features

• also support fetcher functions that return Promise or Promise
  (#​1739)
  (a804f3c)
• implied or external fragments, for
  #​612
  (#​1750)
  (cfed265)

v1.2.2

Compare Source

Note: Version bump only for package graphiql

v1.2.1

Compare Source

Bug Fixes

• display schema description if available
  (050c506)
• fix linting issue
  (7117b7c)

v1.2.0

Compare Source

Features

• add AsyncIterable support to fetcher function
  (#​1724)
  (a568af3)
• provide validation rules via props
  (#​1716)
  (0c5785c)

v1.1.0

Compare Source

Bug Fixes

• improve props in GraphiQL readme
  (b9b2c8d)

Features

• graphiql: add prop for adding toolbar content while preserving the default
  buttons
  (ea81056)
• deeper fragment merging
  (238d0b5)

v1.0.6

Compare Source

Bug Fixes

• enable variable editor when header editor is not enabled
  (#​1682)
  (205fbad)

v1.0.5

Compare Source

Note: Version bump only for package graphiql

v1.0.4

Compare Source

Bug Fixes

• don't use initial query on every re-render
  (#​1663)
  (5aa890f)

v1.0.3

Compare Source

Bug Fixes

• headers tab - highlighting and schema fetch
  (#​1593)
  (0d050ca)

v1.0.2

Compare Source

Note: Version bump only for package graphiql

v1.0.1

Compare Source

Bug Fixes

• more server side rendering fixes
  (#​1581)
  (881a19f),
  closes #​1573
• network cancellation for 1.0
  (#​1582)
  (ad3cc0d)
• Set headers to localStorage
  (#​1578)
  (cc7a7e2)

v1.0.0

Compare Source

Bug Fixes

• call debounce statements as they are functions
  (#​1571)
  (8541250)
• fix server side rendering by using type only codemirror import
  (#​1573)
  (1ee60a6),
  closes #​118
• Move all componentWillUnMount functionality to respective events
  (#​1544)
  (046b09f)

v0.17.5

Compare Source

Note: Version bump only for package graphiql

v0.17.4

Compare Source

Bug Fixes

• graphiql babel test ignore paths
  (e1588d9)

v0.17.3

Compare Source

Bug Fixes

• express-graphql version
  (e9848b0)
• test output, webpack resolution, clean build
  (3b1c2c1)

v0.17.2

Compare Source

Bug Fixes

• ensure css files move with babel dist
  (ca95547)
• remove css from downstream components. soon to be replaced w styled
  (e765543)

v0.17.1

Compare Source

Bug Fixes

• graphiql: duplicate query history key issue, fixes
  #​988
  (#​1035)
  (69c6826)
• convert browserify build to webpack, fixes
  #​976
  (#​1001)
  (3caf041)
• hints vertical scroll
  (216eaeb)

v0.17.0

Compare Source

Bug Fixes

• security bump, resolves
  #​1004,
  SNYK-JS-MARKDOWNIT-459438
  (89c83db)
• webpack resolutions for
  #​882, add webpack example
  (ea9df3e)

Features

• graphiql: Prettify also formats query variables
  (b7d0bfd)

v0.16.0

Compare Source

Bug Fixes

• accessibility: improve accessibility of all components
  (#​967)
  (73a3f90)
• css: added minimum width for result panel in GraphiQL
  (#​980)
  (0c8b7ad)
• graphiql: better quota management
  (#​764)
  (7efed6c)

Features

• css: beautify code tag in doc explorer
  (#​959) resolves
  #​949
  (30810a2)

0.15.1 (2019-10-04)

Bug Fixes

• build tweaks (0bc6a7c)

v0.15.1

v0.13.2

Compare Source

v0.13.0

Compare Source

• Add query merging
• Update graphql peer dependencies to include ^14.0.0

v0.12.0

Compare Source

• Changed Licensing to MIT.
• Upgraded GraphQL to v0.13.2.
• Various other fixes since we haven't cut a new branch in a bit.

v0.11.11

Compare Source

• New:
  • switch to markdown-it (#​581)
• Fixes:
  • fix MenuItem example in README (#​635)
  • The field description should be rendered as markdown (#​634)
  • Remove border radius for document toggle button (#​630)
  • Change to yarn to reflect travis test (#​632)
  • check the length of npm_config_argv in prepublish (a4d9732)
  • Add CDNJS & npm version badges in README.md (#​643)
  • Add GraphQL 0.12.x to the peer dependencies. (#​642)
  • a less aggressive hint suggestion for variables editor (8e5c7e2)

v0.11.10

Compare Source

Fixes

• Fix for "false" being used as a class name in the ExecuteButton (#​625).

v0.11.9

Compare Source

Changes

• Allow React v16 as a peer-dependency (#​607).

v0.11.8

Compare Source

Fixes

• Ship second half of fix for clipped drop-down menus in toolbars (first part shipped in v0.11.7).

v0.11.7

Compare Source

Fixes

• Prevent toolbar menu drop-downs from being clipped (4e1510b).

v0.11.6

Compare Source

Fixes

• Fix React console warnings about readOnly prop type (#​601).

Enhancements

• Default values for input object types are now displayed in Doc Explorer (#​593).

v0.11.5

Compare Source

• New/Improved
  • export core components of GraphiQL (#​580)
  • Add a keyboard shortcut to prettify the query (#​385)
  • add readOnly prop to allow readonly editor components (3718777 and 9e67374)
• Fixed
  • Allow to specify result tooltip as prop (#​570)
  • let the toolbar elements to be overflowable (#​579)
  • Fix Documentation Description Wrapping (3e7f2ac)
  • add peerDep to graphql 0.11.x (#​589)

v0.11.4

Compare Source

v0.11.3

Compare Source

Fixed

• Fix CSS incompatibility with CodeMirror theme (#​547).

Changed

• Updated dependencies.
• Relaxed peer dependencies that were made unnecessarily restrictive (#​532).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.