GMS-2020-68: Introspection in schema validation in Apollo Server

June 5, 2020 (updated August 31, 2020)

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.

References

github.com/advisories/GHSA-w42g-7vfc-xf37
github.com/apollographql/apollo-server/commit/e2e816316f5c28a03de2ee1589edb2b10c358114
github.com/apollographql/apollo-server/security/advisories/GHSA-w42g-7vfc-xf37

Code Behaviors & Features

Detect and mitigate GMS-2020-68 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →