Merge github.com:prisma-labs/graphql-playground

Author: acao

README.md

@@ -1,4 +1,5 @@
-> **SECURITY WARNING:** This `graphql-playground-html` and [all of it's middleware dependents](#impacted-packages) in this repository **had a severe XSS Reflection attack vulnerability to unsanitized user input** until version `[email protected]`. Impacted are any and all **user-defined** input to `renderPlaygroundPage()`, `koaPlayground()`,`expressPlayground()`, `koaPlayground()`, or `lambdaPlayground()`. If you used static values, such as `graphql-playground-electron` does in [it's webpack config](https://github.com/prisma-labs/graphql-playground/blob/master/packages/graphql-playground-electron/webpack.config.build.js#L16), you were not vulnerable to the attack. [More Details](./SECURITY.md)
+> **SECURITY WARNING:** both `graphql-playground-html` and [all four (4) of it's middleware dependents](#impacted-packages) until `[email protected]` were subject to an  **XSS Reflection attack vulnerability only to unsanitized user input strings** to the functions therein. This was resolved in `graphql-playground-html@^1.6.22`. [More Information](#security-details)
+
 
 <p align="center"><img src="https://imgur.com/5fzMbyV.png" width="269"></p>
 
@@ -28,14 +29,23 @@ $ brew cask install graphql-playground
 - 🚥 Apollo Tracing support
 
 ## Security Details
-
-**NOTE: only _unsanitized user input_ to the functions in these packages is vulnerable** to the recently reported XSS Reflection attack.
+> **NOTE: only _unsanitized user input_ to the functions in these packages is vulnerable** to the recently reported XSS Reflection attack.
 
 ### Impact
 
-The only reason this vulnerability exists is because we are using template strings in `renderPlaygroundPage()` with potentially user defined variables. This allows an attacker to inject html and javascript into a page on execution.
+> Impacted are any and all unsanitized **user-defined** input to:
+-`renderPlaygroundPage()`
+-`koaPlayground()`
+-`expressPlayground()`
+-`koaPlayground()`
+-`lambdaPlayground()
+
+>  If you used static values, such as `graphql-playground-electron` does in [it's webpack config](https://github.com/prisma-labs/graphql-playground/blob/master/packages/graphql-playground-electron/webpack.config.build.js#L16), as well as the most common middleware implementations out there, they were not vulnerable to the attack.
 
-Common examples may be user-defined path parameters, query string, unsanitized UI provided values in database, etc that are used to build template strings or passed directly to a `renderPlaygroundPage()` or the matching middleware function equivalent.
+The only reason this vulnerability exists is because we are using template strings in `renderPlaygroundPage()` with potentially unsanitized user defined variables. This allows an attacker to inject html and javascript into the page. 
+- [Read more about preventing XSS in react](https://pragmaticwebsecurity.com/files/cheatsheets/reactxss.pdf)
+
+Common examples may be user-defined path parameters, query string, unsanitized UI provided values in database, etc., that are used to build template strings or passed directly to a `renderPlaygroundPage()` or the matching middleware function equivalent listed above.
 
 ### Impacted Packages
 
@@ -53,6 +63,8 @@ Common examples may be user-defined path parameters, query string, unsanitized U
 
 See the [security docs](./SECURITY.md) for more details on how your implementation might be impacted by this vulnerability. It contains safe examples, unsafe examples, workarounds, and more details.
 
+We've also provided ['an example of the xss using the express middleware]('https://github.com/prisma-labs/graphql-playground/tree/master/packages/graphql-playground-html/examples/xss-attack')
+
 ## FAQ
 
 ### How is this different from [GraphiQL](https://github.com/graphql/graphiql)?

SECURITY.md

@@ -13,10 +13,12 @@ When using
 - `expressPlayground()`
 - `koaPlayground()`
 - `lambdaPlayground()`
-- any downstream dependents that use these functions
+- any downstream dependent packages that use these functions
 
 without sanitization of user input, your application is vulnerable to an XSS Reflecton Attack. This is a serious vulnerability that could allow for exfiltration of data or user credentials, or to disrupt systems.
 
+We've provided ['an example of the xss using the express middleware]('https://github.com/prisma-labs/graphql-playground/tree/master/packages/graphql-playground-middleware-express/examples/xss-attack')
+
 ### Impacted Packages
 
 **All versions of these packages are impacted until those specified below**, which are now safe for user defined input:
@@ -99,6 +101,8 @@ app.get('/playground', (req) =>
 )
 ```
 
+[See a proof of concept](packages/graphql-playground-html/examples/xss-attack) to understand the vulnerability better
+
 ### Workaround
 
 To fix this issue without the update, you can sanitize however you want.
@@ -130,3 +134,5 @@ app.get('/playground/:id', (req) =>
 app.get('/playground', (req) =>
   expressPlayground(JSON.parse(filter(JSON.stringify(req.query))))
 ```
+
+[See a proof of concept workaround](packages/graphql-playground-html/examples/xss-attack), example #3

packages/graphql-playground-html/examples/xss-attack/README.md

@@ -0,0 +1,59 @@
+# GraphQL Playground HTML XSS Reflection Attack Example
+
+This shows the simplest possible example for how one might re-create the XSS Reflection Vulnerability reported by Cure53.
+
+Notice we force the resolution to `[email protected]`, which is the last version susceptible. All prior versions are susceptible to the attack.
+
+Dynamic, unsanitized input that resembles some of the configuration you see is a simple example - if url parameters, query parameters, unsanitized database text strings, etc are passed to `expressPlayground()`, `renderPlaygroundPage()` or equivalent middleware functions such as `koaPlayground()`, they are all vulnerable to this attack.
+
+## Reccomendations
+
+Here we use `xss` because it was easy to provide for node.js, however [DOMPurify](https://github.com/cure53/DOMPurify) is also an excellent choice for sanitizing strings for unwanted html. By default it requires the browser DOM, but you can load it with JSDOM for server side purposes as well.
+
+here are a few more tips to prevent other XSS vulnerabilities that might exist in your own applications:
+
+- `DOMPurify.sanitize` url values with user input to be used for rendering `<a href=` or `<script src=`, `<img src=` etc. whether using react or not!
+- in react,`dangerouslySetInnerHtml={{ __html: { DOMPurify.sanitize(userInputString) }}` always!
+- when doing direct dom manipulation, avoid `domElement.innerHTML = string` at all costs, but at least `DOMPurify.sanitize(string)` first if you must
+- when generating an entire html file, sanitize *all* user input values (this was our mistake)
+
+## Setup
+
+```sh
+$ yarn
+$ yarn start
+```
+
+## Examples
+
+Now that you've set up the example, you can view the examples:
+
+### Example 1 - Query params
+
+this one uses query parameters
+
+http://localhost:4000/example-1?id=%3C/script%3E%3Cscript%3Ealert('I%20%3C3%20GraphQL.%20Hack%20the%20Planet!!')%3C/script%3E%3Cscript%3E
+
+### Example 2 - DB Example
+
+this one uses a mock database, to demonstrate more ways in which the function is susceptible
+
+http://localhost:4000/example-2
+
+### Example 3 - Upgrade workaround example
+
+this one uses query like number 1, but shows how to use [`xss`](https://npmjs.com/xss) module to workaround the issue if you aren't able to upgrade
+
+http://localhost:4000/example-3?id=%3C/script%3E%3Cscript%3Ealert('I%20%3C3%20GraphQL.%20Hack%20the%20Planet!!')%3C/script%3E%3Cscript%3E
+
+### Example 4 - Always Safe example
+
+this one uses static values, so it's safe without any workarounds! (try removing the ?darkMode parameter)
+
+http://localhost:4000/example-4?darkMode=%3C/script%3E%3Cscript%3Ealert('I%20%3C3%20GraphQL.%20Hack%20the%20Planet!!')%3C/script%3E%3Cscript%3E
+
+[XSS Safe using static configuration strings]("http://localhost:4000/example-3?darkMode")
+
+## More Details
+
+See more details in [SECURITY.md](../../../../SECURITY.md)

packages/graphql-playground-html/examples/xss-attack/index.js

@@ -0,0 +1,100 @@
+const express = require('express')
+const { ApolloServer, gql } = require('apollo-server-express')
+const { filterXSS } = require('xss')
+const { renderPlaygroundPage } = require('graphql-playground-html')
+
+const typeDefs = gql`
+  type Query {
+    hello: String!
+  }
+  schema {
+    query: Query
+  }
+`
+const resolvers = {
+  Query: {
+    hello: () => 'world',
+  },
+}
+
+const PORT = 4000
+
+const server = new ApolloServer({ typeDefs, resolvers })
+
+const app = express()
+server.applyMiddleware({ app })
+
+// Example 1: Query Parameters
+
+app.get('/example-1', (req, res, next) => {
+  res.write(
+    renderPlaygroundPage({
+      endpoint: `/graphql/${req.query.id}`,
+    }),
+  )
+  res.status(200)
+  next()
+})
+
+// Example 2: mock database example
+
+const db = {
+  async get() {
+    return {
+      'editor.fontFamily': `</script><script>alert('I <3 GraphQL. Hack the Planet!!')</script><script>`,
+    }
+  },
+}
+
+app.get('/example-2', async (req, res, next) => {
+  const settings = await db.get()
+  res.write(
+    renderPlaygroundPage({
+      endpoint: '/graphql',
+      settings,
+    }),
+  )
+  next()
+})
+
+// Example 3: Manual Workaround
+
+const filter = (val) => {
+  return filterXSS(val, {
+    // @ts-ignore
+    whiteList: [],
+    stripIgnoreTag: true,
+    stripIgnoreTagBody: ['script'],
+  })
+}
+
+app.get('/example-3', (req, res, next) => {
+  res.write(
+    renderPlaygroundPage({
+      endpoint: `/graphql/${filter(req.query.id)}`,
+    }),
+  )
+  res.status(200)
+  next()
+})
+
+// Example 4: Safe
+
+app.get('/example-4', (req, res, next) => {
+  res.write(
+    renderPlaygroundPage({
+      endpoint: `/graphql`,
+      settings: {
+        'editor.theme': req.query.darkMode ? 'dark' : 'light',
+      },
+    }),
+  )
+  res.status(200)
+  next()
+})
+
+app.listen(PORT)
+
+console.log(
+  `Serving the GraphQL Playground on http://localhost:${PORT}/example-2`,
+)

packages/graphql-playground-html/examples/xss-attack/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "xss-attack",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "start": "node index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "apollo-server-express": "^2.16.0",
+    "express": "^4.17.1",
+    "graphql": "^15.0.0",
+    "graphql-playground-html": "1.6.20",
+    "xss": "^1.0.6"
+  }
+}

packages/graphql-playground-html/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-playground-html",
-  "version": "1.6.24",
+  "version": "1.6.25",
   "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-html",
   "description": "GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).",
   "contributors": [

packages/graphql-playground-html/src/render-playground-page.ts

@@ -89,7 +89,7 @@ const loading = getLoadingMarkup()
 const CONFIG_ID = 'playground-config';
 
 const getCdnMarkup = ({ version, cdnUrl = '//cdn.jsdelivr.net/npm', faviconUrl }) => {
-  const buildCDNUrl = (packageName: string, suffix: string) => filter(`${cdnUrl}/${packageName}/${version ? `@${version}/` : ''}${suffix}` || '')
+  const buildCDNUrl = (packageName: string, suffix: string) => filter(`${cdnUrl}/${packageName}${version ? `@${version}` : ''}/${suffix}` || '')
   return `
     <link 
       rel="stylesheet" 

packages/graphql-playground-middleware-express/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-playground-middleware-express",
-  "version": "1.7.17",
+  "version": "1.7.18",
   "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-middleware-express",
   "description": "GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).",
   "contributors": [
@@ -34,7 +34,7 @@
     "typescript": "3.8.3"
   },
   "dependencies": {
-    "graphql-playground-html": "^1.6.23"
+    "graphql-playground-html": "1.6.25"
   },
   "typings": "dist/index.d.ts",
   "typescript": {

packages/graphql-playground-middleware-hapi/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-playground-middleware-hapi",
-  "version": "1.6.14",
+  "version": "1.6.15",
   "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-middleware-hapi",
   "description": "GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).",
   "contributors": [
@@ -40,6 +40,6 @@
     "definition": "dist/index.d.ts"
   },
   "dependencies": {
-    "graphql-playground-html": "^1.6.23"
+    "graphql-playground-html": "1.6.25"
   }
 }

packages/graphql-playground-middleware-koa/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-playground-middleware-koa",
-  "version": "1.6.16",
+  "version": "1.6.17",
   "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-middleware-koa",
   "description": "GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).",
   "contributors": [
@@ -39,6 +39,6 @@
     "definition": "dist/index.d.ts"
   },
   "dependencies": {
-    "graphql-playground-html": "^1.6.23"
+    "graphql-playground-html": "1.6.25"
   }
 }

packages/graphql-playground-middleware-koa/src/index.ts

@@ -1,14 +1,15 @@
-import { Context } from 'koa'
+import { Context, Next } from 'koa'
 import {
   MiddlewareOptions,
   renderPlaygroundPage,
 } from 'graphql-playground-html'
 
-/* tslint:disable-next-line */
+export declare type KoaPlaygroundMiddlewareOptions = MiddlewareOptions
 
-export type KoaPlaygroundMiddleware = (ctx: Context, next: () => void) => void
+/* tslint:disable-next-line */
+export type KoaPlaygroundMiddleware = (ctx: Context, next: Next) => Promise<void>
 
-export type Register = (options: MiddlewareOptions) => KoaPlaygroundMiddleware
+export type Register = (options: KoaPlaygroundMiddlewareOptions) => KoaPlaygroundMiddleware
 
 const koa: Register = options => {
   return async function voyager(ctx, next) {

packages/graphql-playground-middleware-lambda/package.json

@@ -1,7 +1,7 @@
 {
   "name": "graphql-playground-middleware-lambda",
-  "version": "1.7.18",
-  "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-middleware-lambada",
+  "version": "1.7.19",
+  "homepage": "https://github.com/graphcool/graphql-playground/tree/master/packages/graphql-playground-middleware-lambda",
   "description": "GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).",
   "contributors": [
     "Tim Suchanek <[email protected]>",
@@ -39,6 +39,6 @@
     "definition": "dist/index.d.ts"
   },
   "dependencies": {
-    "graphql-playground-html": "^1.6.23"
+    "graphql-playground-html": "1.6.25"
   }
 }

packages/graphql-playground-react/src/components/Playground/TopBar/TopBar.tsx

@@ -22,6 +22,7 @@ import {
 import { share } from '../../../state/sharing/actions'
 import { openHistory } from '../../../state/general/actions'
 import { getSettings } from '../../../state/workspace/reducers'
+import { Session } from '../../../state/sessions/reducers'
 import { ISettings } from '../../../types'
 
 export interface Props {
@@ -30,6 +31,7 @@ export interface Props {
   fixedEndpoint?: boolean
   isPollingSchema: boolean
   endpointUnreachable: boolean
+  session: Session
 
   editEndpoint: (value: string) => void
   prettifyQuery: () => void
@@ -111,8 +113,7 @@ class TopBar extends React.Component<Props, {}> {
     this.props.openHistory()
   }
   getCurl = () => {
-    // no need to rerender the whole time. only on-demand the store is fetched
-    const session = getSelectedSession(this.context.store.getState())
+    const session = this.props.session
     let variables
     try {
       variables = JSON.parse(session.variables)
@@ -157,6 +158,7 @@ const mapStateToProps = createStructuredSelector({
   isPollingSchema: getIsPollingSchema,
   endpointUnreachable: getEndpointUnreachable,
   settings: getSettings,
+  session: getSelectedSession,
 })
 
 export default connect(