GHSA-4852-VRH7-28RF

Vulnerability from github – Published: 2020-06-09 00:24 – Updated: 2021-11-04 17:11
VLAI?
Summary
Reflected XSS in GraphQL Playground
Details

Impact

directly impacted:

  • graphql-playground-html@<1.6.22 - all unsanitized user input for renderPlaygroundPage()

all of our consuming packages of graphql-playground-html are impacted:

  • graphql-playground-middleware-express@<1.7.16 - unsanitized user input to expressPlayground()
  • graphql-playground-middleware-koa@<1.6.15 - unsanitized user input to koaPlayground()
  • graphql-playground-middleware-lambda@<1.7.17 - unsanitized user input to lambdaPlayground()
  • graphql-playground-middleware-hapi@<1.6.13 - unsanitized user input to hapiPlayground()

as well as any other packages that use these methods with unsanitized user input.

not impacted:

  • graphql-playground-electron - uses renderPlaygroundPage() statically for a webpack build for electron bundle, no dynamic user input
  • graphql-playground-react - usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo in public/ contains the vulnerability, because it uses an old version of the html pacakge.

Patches

upgrading to the above mentioned versions will solve the issue.

If you're using graphql-playground-html directly, then:

yarn add graphql-playground-html@^1.6.22

or

npm install --save graphql-playground-html@^1.6.22

Then, similar steps need to be taken for each middleware:

Workarounds

Ensure you properly sanitize all user input for options you use for whatever function to initialize GraphQLPlayground:

for example, with graphql-playground-html and express:

const { sanitizeUrl } = require('@braintree/sanitize-url');

const qs = require('querystringify');

const { renderPlaygroundPage } = require('graphql-playground-html');

module.exports = (req, res, next) => {
    const { endpoint } = qs.parse(req.url)
    res.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200)
    next()
}

or, with graphql-playground-express:

const { expressPlayground } = require('graphql-playground-middleware-express');
const { sanitizeUrl } = require('@braintree/sanitize-url');

const qs = require('querystringify');

const { renderPlaygroundPage } = require('graphql-playground-html');

module.exports = (req, res, next) => {
    const { endpoint } = qs.parse(req.url)
    res.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)
    next()
}

References

Credits

Masato Kinugawa of Cure53

For more information

If you have any questions or comments about this advisory: * Open an issue in graphql-playground * Email us at rikki.schulte@gmail.com

Severity ?
7.4 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "graphql-playground-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-4038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-08T20:27:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\n**directly impacted:**\n\n- `graphql-playground-html@\u003c1.6.22` - all unsanitized user input for `renderPlaygroundPage()`\n\n**all of our consuming packages** of `graphql-playground-html` are impacted:\n\n- `graphql-playground-middleware-express@\u003c1.7.16` - unsanitized user input to `expressPlayground()`\n- `graphql-playground-middleware-koa@\u003c1.6.15` - unsanitized user input to `koaPlayground()`\n- `graphql-playground-middleware-lambda@\u003c1.7.17` - unsanitized user input to `lambdaPlayground()`\n- `graphql-playground-middleware-hapi@\u003c1.6.13` - unsanitized user input to `hapiPlayground()`\n\nas well as ***any other packages*** that use these methods with unsanitized user input.\n\n**not impacted:**\n\n- `graphql-playground-electron` - uses `renderPlaygroundPage()` statically for a webpack build for electron bundle, no dynamic user input\n- `graphql-playground-react` - usage of the component directly in a react application does not expose reflected XSS vulnerabilities. only the demo in `public/` contains the vulnerability, because it uses an old version of the html pacakge.\n\n### Patches\n\nupgrading to the above mentioned versions will solve the issue.\n\nIf you\u0027re using `graphql-playground-html` directly, then:\n\n```\nyarn add graphql-playground-html@^1.6.22\n```\n\nor\n\n```\nnpm install --save graphql-playground-html@^1.6.22\n```\n\nThen, similar steps need to be taken for each middleware:\n\n- [Upgrade Express Middleware](https://www.npmjs.com/package/graphql-playground-middleware-express#security-upgrade-steps)\n- [Upgrade Koa Middleware](https://www.npmjs.com/package/graphql-playground-middleware-koa#security-upgrade-steps)\n- [Upgrade Lambda Middleware](https://www.npmjs.com/package/graphql-playground-middleware-lambda#security-upgrade-steps)\n- [Upgrade Hapi Middleware](https://www.npmjs.com/package/graphql-playground-middleware-hapi#security-upgrade-steps)\n\n### Workarounds\n\nEnsure you properly sanitize *all* user input for options you use for whatever function to initialize GraphQLPlayground:\n\nfor example, with `graphql-playground-html` and express:\n\n```js\nconst { sanitizeUrl } = require(\u0027@braintree/sanitize-url\u0027);\n\nconst qs = require(\u0027querystringify\u0027);\n\nconst { renderPlaygroundPage } = require(\u0027graphql-playground-html\u0027);\n\nmodule.exports = (req, res, next) =\u003e {\n\tconst { endpoint } = qs.parse(req.url)\n\tres.html(renderPlaygroundPage({endpoint: sanitizeUrl(endpoint) })).status(200)\n\tnext()\n}\n```\n\nor, with `graphql-playground-express`:\n\n```js\nconst { expressPlayground } = require(\u0027graphql-playground-middleware-express\u0027);\nconst { sanitizeUrl } = require(\u0027@braintree/sanitize-url\u0027);\n\nconst qs = require(\u0027querystringify\u0027);\n\nconst { renderPlaygroundPage } = require(\u0027graphql-playground-html\u0027);\n\nmodule.exports = (req, res, next) =\u003e {\n\tconst { endpoint } = qs.parse(req.url)\n\tres.html(expressPlayground({endpoint: sanitizeUrl(endpoint) })).status(200)\n\tnext()\n}\n```\n\n### References\n\n- [OWASP: How to Test for CSS Reflection Attacks](https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md)\n- [Original Report from Cure53](https://user-images.githubusercontent.com/1368727/84191028-dfb7b980-aa65-11ea-8e18-4b8706f538e2.jpg) (jpg)\n\n\n### Credits\n\nMasato Kinugawa of Cure53\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [graphql-playground](https://github.com/prisma-labs/graphql-playground/issues/new/choose)\n* Email us at [rikki.schulte@gmail.com](mailto:rikki.schulte@gmail.com)\n",
  "id": "GHSA-4852-vrh7-28rf",
  "modified": "2021-11-04T17:11:46Z",
  "published": "2020-06-09T00:24:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/graphql/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prisma-labs/graphql-playground#security-details"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reflected XSS in GraphQL Playground"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.