Merge pull request from GHSA-2fvv-qxrq-7jq6

See GHSA-2fvv-qxrq-7jq6 for details. Note that this doesn't affect the curl command shown in the colorful rendered non-embedded landing page, which is properly escaped by the React app.
apollographql · Aug 10, 2022 · 68a439b · 68a439b
1 parent 27ded2a
commit 68a439b
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ The version headers in this history reflect the versions of Apollo Server itself
 
 ## vNEXT
 
+## v3.10.1
+
+- ⚠️ **SECURITY**: The default landing page contained HTML to display a sample `curl` command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from `window.location.href`. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript. In this release, the fallback page does not display a `curl` command. More details are available at the [security advisory](https://github.com/apollographql/apollo-server/security/advisories/GHSA-2fvv-qxrq-7jq6).
+- Improve error message when both a graph ref and a graph variant are specified. [PR #6709](https://github.com/apollographql/apollo-server/pull/6709)
 - Fix the TypeScript declaration of the `fieldLevelInstrumentation` option to `ApolloServerPluginUsageReporting` to show that the function may return a number in addition to a boolean. This now matches the implementation and docs. [PR #6763](https://github.com/apollographql/apollo-server/pull/6763)
 
 ## v3.10.0

diff --git a/packages/apollo-server-core/src/plugin/landingPage/__tests__/getEmbeddedExplorerHTML.test.ts b/packages/apollo-server-core/src/plugin/landingPage/__tests__/getEmbeddedExplorerHTML.test.ts
@@ -29,6 +29,14 @@ describe('Embedded Explorer Landing Page Config HTML', () => {
         graphRef: 'graph@current',
       };
     expect(getEmbeddedExplorerHTML(version, config)).toMatchInlineSnapshot(`
+      <div class="fallback">
+        <h1>
+          Welcome to Apollo Server
+        </h1>
+        <p>
+          Apollo Explorer cannot be loaded; it appears that you might be offline.
+        </p>
+      </div>
       <style>
         iframe {
           background-color: white;
@@ -59,6 +67,14 @@ describe('Embedded Explorer Landing Page Config HTML', () => {
         graphRef: 'graph@current',
       };
     expect(getEmbeddedExplorerHTML(version, config)).toMatchInlineSnapshot(`
+      <div class="fallback">
+        <h1>
+          Welcome to Apollo Server
+        </h1>
+        <p>
+          Apollo Explorer cannot be loaded; it appears that you might be offline.
+        </p>
+      </div>
       <style>
         iframe {
           background-color: white;

diff --git a/packages/apollo-server-core/src/plugin/landingPage/__tests__/getEmbeddedSandboxHTML.test.ts b/packages/apollo-server-core/src/plugin/landingPage/__tests__/getEmbeddedSandboxHTML.test.ts
@@ -20,6 +20,14 @@ describe('Landing Page Config HTML', () => {
       embed: true,
     };
     expect(getEmbeddedSandboxHTML(version, config)).toMatchInlineSnapshot(`
+      <div class="fallback">
+        <h1>
+          Welcome to Apollo Server
+        </h1>
+        <p>
+          Apollo Sandbox cannot be loaded; it appears that you might be offline.
+        </p>
+      </div>
       <style>
         iframe {
           background-color: white;
@@ -49,6 +57,14 @@ describe('Landing Page Config HTML', () => {
       embed: true,
     };
     expect(getEmbeddedSandboxHTML(version, config)).toMatchInlineSnapshot(`
+      <div class="fallback">
+        <h1>
+          Welcome to Apollo Server
+        </h1>
+        <p>
+          Apollo Sandbox cannot be loaded; it appears that you might be offline.
+        </p>
+      </div>
       <style>
         iframe {
           background-color: white;

diff --git a/packages/apollo-server-core/src/plugin/landingPage/default/index.ts b/packages/apollo-server-core/src/plugin/landingPage/default/index.ts
@@ -101,6 +101,10 @@ export const getEmbeddedExplorerHTML = (
     };
 
   return `
+<div class="fallback">
+  <h1>Welcome to Apollo Server</h1>
+  <p>Apollo Explorer cannot be loaded; it appears that you might be offline.</p>
+</div>
 <style>
   iframe {
     background-color: white;
@@ -129,6 +133,10 @@ export const getEmbeddedSandboxHTML = (
   config: LandingPageConfig,
 ) => {
   return `
+<div class="fallback">
+  <h1>Welcome to Apollo Server</h1>
+  <p>Apollo Sandbox cannot be loaded; it appears that you might be offline.</p>
+</div>
 <style>
   iframe {
     background-color: white;
@@ -162,6 +170,10 @@ const getNonEmbeddedLandingPageHTML = (
   const encodedConfig = encodeConfig(config);
 
   return `
+ <div class="fallback">
+  <h1>Welcome to Apollo Server</h1>
+  <p>The full landing page cannot be loaded; it appears that you might be offline.</p>
+</div>
 <script>window.landingPage = ${encodedConfig};</script>
 <script src="https://apollo-server-landing-page.cdn.apollographql.com/${version}/static/js/main.js"></script>`;
 };
@@ -224,15 +236,6 @@ function ApolloServerPluginLandingPageDefault(
           100% {opacity:1; }
         }
       </style>
-      <div class="fallback">
-        <h1>Welcome to Apollo Server</h1>
-        <p>It appears that you might be offline. POST to this endpoint to query your graph:</p>
-        <code style="white-space: pre;">
-curl --request POST \\
-  --header 'content-type: application/json' \\
-  --url '<script>document.write(window.location.href)</script>' \\
-  --data '{"query":"query { __typename }"}'</code>
-      </div>
     ${
       config.embed
         ? 'graphRef' in config && config.graphRef