Skip to content

Commit

Permalink
Merge pull request from GHSA-2fvv-qxrq-7jq6
Browse files Browse the repository at this point in the history
See
GHSA-2fvv-qxrq-7jq6
for details.

Note that this doesn't affect the curl command shown in the colorful
rendered non-embedded landing page, which is properly escaped by the
React app.
glasser authored Aug 10, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 27ded2a commit 68a439b
Showing 4 changed files with 48 additions and 9 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -10,6 +10,10 @@ The version headers in this history reflect the versions of Apollo Server itself

## vNEXT

## v3.10.1

- ⚠️ **SECURITY**: The default landing page contained HTML to display a sample `curl` command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from `window.location.href`. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript. In this release, the fallback page does not display a `curl` command. More details are available at the [security advisory](https://github.com/apollographql/apollo-server/security/advisories/GHSA-2fvv-qxrq-7jq6).
- Improve error message when both a graph ref and a graph variant are specified. [PR #6709](https://github.com/apollographql/apollo-server/pull/6709)
- Fix the TypeScript declaration of the `fieldLevelInstrumentation` option to `ApolloServerPluginUsageReporting` to show that the function may return a number in addition to a boolean. This now matches the implementation and docs. [PR #6763](https://github.com/apollographql/apollo-server/pull/6763)

## v3.10.0
Original file line number Diff line number Diff line change
@@ -29,6 +29,14 @@ describe('Embedded Explorer Landing Page Config HTML', () => {
graphRef: 'graph@current',
};
expect(getEmbeddedExplorerHTML(version, config)).toMatchInlineSnapshot(`
<div class="fallback">
<h1>
Welcome to Apollo Server
</h1>
<p>
Apollo Explorer cannot be loaded; it appears that you might be offline.
</p>
</div>
<style>
iframe {
background-color: white;
@@ -59,6 +67,14 @@ describe('Embedded Explorer Landing Page Config HTML', () => {
graphRef: 'graph@current',
};
expect(getEmbeddedExplorerHTML(version, config)).toMatchInlineSnapshot(`
<div class="fallback">
<h1>
Welcome to Apollo Server
</h1>
<p>
Apollo Explorer cannot be loaded; it appears that you might be offline.
</p>
</div>
<style>
iframe {
background-color: white;
Original file line number Diff line number Diff line change
@@ -20,6 +20,14 @@ describe('Landing Page Config HTML', () => {
embed: true,
};
expect(getEmbeddedSandboxHTML(version, config)).toMatchInlineSnapshot(`
<div class="fallback">
<h1>
Welcome to Apollo Server
</h1>
<p>
Apollo Sandbox cannot be loaded; it appears that you might be offline.
</p>
</div>
<style>
iframe {
background-color: white;
@@ -49,6 +57,14 @@ describe('Landing Page Config HTML', () => {
embed: true,
};
expect(getEmbeddedSandboxHTML(version, config)).toMatchInlineSnapshot(`
<div class="fallback">
<h1>
Welcome to Apollo Server
</h1>
<p>
Apollo Sandbox cannot be loaded; it appears that you might be offline.
</p>
</div>
<style>
iframe {
background-color: white;
Original file line number Diff line number Diff line change
@@ -101,6 +101,10 @@ export const getEmbeddedExplorerHTML = (
};

return `
<div class="fallback">
<h1>Welcome to Apollo Server</h1>
<p>Apollo Explorer cannot be loaded; it appears that you might be offline.</p>
</div>
<style>
iframe {
background-color: white;
@@ -129,6 +133,10 @@ export const getEmbeddedSandboxHTML = (
config: LandingPageConfig,
) => {
return `
<div class="fallback">
<h1>Welcome to Apollo Server</h1>
<p>Apollo Sandbox cannot be loaded; it appears that you might be offline.</p>
</div>
<style>
iframe {
background-color: white;
@@ -162,6 +170,10 @@ const getNonEmbeddedLandingPageHTML = (
const encodedConfig = encodeConfig(config);

return `
<div class="fallback">
<h1>Welcome to Apollo Server</h1>
<p>The full landing page cannot be loaded; it appears that you might be offline.</p>
</div>
<script>window.landingPage = ${encodedConfig};</script>
<script src="https://apollo-server-landing-page.cdn.apollographql.com/${version}/static/js/main.js"></script>`;
};
@@ -224,15 +236,6 @@ function ApolloServerPluginLandingPageDefault(
100% {opacity:1; }
}
</style>
<div class="fallback">
<h1>Welcome to Apollo Server</h1>
<p>It appears that you might be offline. POST to this endpoint to query your graph:</p>
<code style="white-space: pre;">
curl --request POST \\
--header 'content-type: application/json' \\
--url '<script>document.write(window.location.href)</script>' \\
--data '{"query":"query { __typename }"}'</code>
</div>
${
config.embed
? 'graphRef' in config && config.graphRef

0 comments on commit 68a439b

Please sign in to comment.