GHSA-4852-vrh7-28rf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4852-vrh7-28rf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-4852-vrh7-28rf/GHSA-4852-vrh7-28rf.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4852-vrh7-28rf
- Aliases
- Related
- Published
- 2020-06-09T00:24:57Z
- Modified
- 2023-11-01T04:53:19.159057Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- Reflected XSS in GraphQL Playground
- Details
-
Impact
directly impacted:
graphql-playground-html@<1.6.22- all unsanitized user input forrenderPlaygroundPage()
all of our consuming packages of
graphql-playground-htmlare impacted:graphql-playground-middleware-express@<1.7.16- unsanitized user input toexpressPlayground()graphql-playground-middleware-koa@<1.6.15- unsanitized user input tokoaPlayground()graphql-playground-middleware-lambda@<1.7.17- unsanitized user input tolambdaPlayground()graphql-playground-middleware-hapi@<1.6.13- unsanitized user input tohapiPlayground()
as well as any other packages that use these methods with unsanitized user input.
not impacted:
graphql-playground-electron- usesrenderPlaygroundPage()statically for a webpack build for electron bundle, no dynamic user inputgraphql-playground-react- usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo inpublic/contains the vulnerability, because it uses an old version of the html pacakge.
Patches
upgrading to the above mentioned versions will solve the issue.
If you're using
graphql-playground-htmldirectly, then:yarn add graphql-playground-html@^1.6.22or
npm install --save graphql-playground-html@^1.6.22Then, similar steps need to be taken for each middleware:
Workarounds
Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:
for example, with
graphql-playground-htmland express:const { sanitizeUrl } = require('@braintree/sanitize-url'); const qs = require('querystringify'); const { renderPlaygroundPage } = require('graphql-playground-html'); module.exports = (req, res, next) => { const { endpoint } = qs.parse(req.url) res.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200) next() }or, with
graphql-playground-express:const { expressPlayground } = require('graphql-playground-middleware-express'); const { sanitizeUrl } = require('@braintree/sanitize-url'); const qs = require('querystringify'); const { renderPlaygroundPage } = require('graphql-playground-html'); module.exports = (req, res, next) => { const { endpoint } = qs.parse(req.url) res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200) next() }References
Credits
Masato Kinugawa of Cure53
For more information
If you have any questions or comments about this advisory: * Open an issue in graphql-playground * Email us at rikki.schulte@gmail.com
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-08T20:27:53Z", "nvd_published_at": null, "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
- https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
- https://nvd.nist.gov/vuln/detail/CVE-2020-4038
- https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7
- https://github.com/prisma-labs/graphql-playground#security-details
Affected packages
npm / graphql-playground-html
Package
- Name
- graphql-playground-html
- View open source insights on deps.dev
- Purl
- pkg:npm/graphql-playground-html