fix: GraphQL WebSocket endpoint bypasses security middleware ([GHSA-p2x3-8689-cwpg](GHSA-p2x3-8689-cwpg)) (#10189)

Author: mtrezza

package-lock.json

@@ -57,7 +57,6 @@
     "rate-limit-redis": "4.2.0",
     "redis": "5.10.0",
     "semver": "7.7.2",
-    "subscriptions-transport-ws": "0.11.0",
     "tv4": "1.3.0",
     "uuid": "11.1.0",
     "winston": "3.19.0",

package.json

@@ -3,21 +3,16 @@ const express = require('express');
 const req = require('../lib/request');
 const fetch = (...args) => import('node-fetch').then(({ default: fetch }) => fetch(...args));
 const FormData = require('form-data');
-const ws = require('ws');
 require('./helper');
 const { updateCLP } = require('./support/dev');
 
 const pluralize = require('pluralize');
-const { getMainDefinition } = require('@apollo/client/utilities');
 const createUploadLink = (...args) => import('apollo-upload-client/createUploadLink.mjs').then(({ default: fn }) => fn(...args));
-const { SubscriptionClient } = require('subscriptions-transport-ws');
-const { WebSocketLink } = require('@apollo/client/link/ws');
 const { mergeSchemas } = require('@graphql-tools/schema');
 const {
   ApolloClient,
   InMemoryCache,
   ApolloLink,
-  split,
   createHttpLink,
 } = require('@apollo/client/core');
 const gql = require('graphql-tag');
@@ -58,7 +53,6 @@ describe('ParseGraphQLServer', () => {
     parseGraphQLServer = new ParseGraphQLServer(parseServer, {
       graphQLPath: '/graphql',
       playgroundPath: '/playground',
-      subscriptionsPath: '/subscriptions',
     });
 
     const logger = require('../lib/logger').default;
@@ -241,16 +235,6 @@ describe('ParseGraphQLServer', () => {
     });
   });
 
-  describe('createSubscriptions', () => {
-    it('should require initialization with config.subscriptionsPath', () => {
-      expect(() =>
-        new ParseGraphQLServer(parseServer, {
-          graphQLPath: 'graphql',
-        }).createSubscriptions({})
-      ).toThrow('You must provide a config.subscriptionsPath to createSubscriptions!');
-    });
-  });
-
   describe('setGraphQLConfig', () => {
     let parseGraphQLServer;
     beforeEach(() => {
@@ -467,41 +451,23 @@ describe('ParseGraphQLServer', () => {
       parseGraphQLServer = new ParseGraphQLServer(_parseServer, {
         graphQLPath: '/graphql',
         playgroundPath: '/playground',
-        subscriptionsPath: '/subscriptions',
         ...parseGraphQLServerOptions,
       });
       parseGraphQLServer.applyGraphQL(expressApp);
       parseGraphQLServer.applyPlayground(expressApp);
-      parseGraphQLServer.createSubscriptions(httpServer);
       await new Promise(resolve => httpServer.listen({ port: 13377 }, resolve));
     }
 
     beforeEach(async () => {
       await createGQLFromParseServer(parseServer);
 
-      const subscriptionClient = new SubscriptionClient(
-        'ws://localhost:13377/subscriptions',
-        {
-          reconnect: true,
-          connectionParams: headers,
-        },
-        ws
-      );
-      const wsLink = new WebSocketLink(subscriptionClient);
       const httpLink = await createUploadLink({
         uri: 'http://localhost:13377/graphql',
         fetch,
         headers,
       });
       apolloClient = new ApolloClient({
-        link: split(
-          ({ query }) => {
-            const { kind, operation } = getMainDefinition(query);
-            return kind === 'OperationDefinition' && operation === 'subscription';
-          },
-          wsLink,
-          httpLink
-        ),
+        link: httpLink,
         cache: new InMemoryCache(),
         defaultOptions: {
           query: {

spec/ParseGraphQLServer.spec.js

@@ -1,5 +1,10 @@
+const http = require('http');
+const express = require('express');
+const fetch = (...args) => import('node-fetch').then(({ default: fetch }) => fetch(...args));
+const ws = require('ws');
 const request = require('../lib/request');
 const Config = require('../lib/Config');
+const { ParseGraphQLServer } = require('../lib/GraphQL/ParseGraphQLServer');
 
 describe('Vulnerabilities', () => {
   describe('(GHSA-8xq9-g7ch-35hg) Custom object ID allows to acquire role privilege', () => {
@@ -2456,4 +2461,100 @@ describe('(GHSA-c442-97qw-j6c6) SQL Injection via $regex query operator field na
       expect(userB.id).toBeDefined();
     });
   });
+
+  describe('(GHSA-p2x3-8689-cwpg) GraphQL WebSocket middleware bypass', () => {
+    let httpServer;
+    const gqlPort = 13399;
+
+    const gqlHeaders = {
+      'X-Parse-Application-Id': 'test',
+      'X-Parse-Javascript-Key': 'test',
+      'Content-Type': 'application/json',
+    };
+
+    async function setupGraphQLServer(serverOptions = {}, graphQLOptions = {}) {
+      if (httpServer) {
+        await new Promise(resolve => httpServer.close(resolve));
+      }
+      const server = await reconfigureServer(serverOptions);
+      const expressApp = express();
+      httpServer = http.createServer(expressApp);
+      expressApp.use('/parse', server.app);
+      const parseGraphQLServer = new ParseGraphQLServer(server, {
+        graphQLPath: '/graphql',
+        ...graphQLOptions,
+      });
+      parseGraphQLServer.applyGraphQL(expressApp);
+      await new Promise(resolve => httpServer.listen({ port: gqlPort }, resolve));
+      return parseGraphQLServer;
+    }
+
+    async function gqlRequest(query, headers = gqlHeaders) {
+      const response = await fetch(`http://localhost:${gqlPort}/graphql`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({ query }),
+      });
+      return { status: response.status, body: await response.json().catch(() => null) };
+    }
+
+    afterEach(async () => {
+      if (httpServer) {
+        await new Promise(resolve => httpServer.close(resolve));
+        httpServer = null;
+      }
+    });
+
+    it('should not have createSubscriptions method', async () => {
+      const pgServer = await setupGraphQLServer();
+      expect(pgServer.createSubscriptions).toBeUndefined();
+    });
+
+    it('should not accept WebSocket connections on /subscriptions path', async () => {
+      await setupGraphQLServer();
+      const connectionResult = await new Promise((resolve) => {
+        const socket = new ws(`ws://localhost:${gqlPort}/subscriptions`);
+        socket.on('open', () => {
+          socket.close();
+          resolve('connected');
+        });
+        socket.on('error', () => {
+          resolve('refused');
+        });
+        setTimeout(() => {
+          socket.close();
+          resolve('timeout');
+        }, 2000);
+      });
+      expect(connectionResult).not.toBe('connected');
+    });
+
+    it('HTTP GraphQL should still work with API key', async () => {
+      await setupGraphQLServer();
+      const result = await gqlRequest('{ health }');
+      expect(result.status).toBe(200);
+      expect(result.body?.data?.health).toBeTruthy();
+    });
+
+    it('HTTP GraphQL should still reject requests without API key', async () => {
+      await setupGraphQLServer();
+      const result = await gqlRequest('{ health }', { 'Content-Type': 'application/json' });
+      expect(result.status).toBe(403);
+    });
+
+    it('HTTP introspection control should still work', async () => {
+      await setupGraphQLServer({}, { graphQLPublicIntrospection: false });
+      const result = await gqlRequest('{ __schema { types { name } } }');
+      expect(result.body?.errors).toBeDefined();
+      expect(result.body.errors[0].message).toContain('Introspection is not allowed');
+    });
+
+    it('HTTP complexity limits should still work', async () => {
+      await setupGraphQLServer({ requestComplexity: { graphQLFields: 5 } });
+      const fields = Array.from({ length: 10 }, (_, i) => `f${i}: health`).join(' ');
+      const result = await gqlRequest(`{ ${fields} }`);
+      expect(result.body?.errors).toBeDefined();
+      expect(result.body.errors[0].message).toMatch(/exceeds maximum allowed/);
+    });
+  });
 });

spec/vulnerabilities.spec.js

@@ -4,8 +4,7 @@ import { ApolloServer } from '@apollo/server';
 import { expressMiddleware } from '@as-integrations/express5';
 import { ApolloServerPluginCacheControlDisabled } from '@apollo/server/plugin/disabled';
 import express from 'express';
-import { execute, subscribe, GraphQLError, parse } from 'graphql';
-import { SubscriptionServer } from 'subscriptions-transport-ws';
+import { GraphQLError, parse } from 'graphql';
 import { handleParseErrors, handleParseHeaders, handleParseSession } from '../middlewares';
 import requiredParameter from '../requiredParameter';
 import defaultLogger from '../logger';
@@ -261,23 +260,6 @@ class ParseGraphQLServer {
     );
   }
 
-  createSubscriptions(server) {
-    SubscriptionServer.create(
-      {
-        execute,
-        subscribe,
-        onOperation: async (_message, params, webSocket) =>
-          Object.assign({}, params, await this._getGraphQLOptions(webSocket.upgradeReq)),
-      },
-      {
-        server,
-        path:
-          this.config.subscriptionsPath ||
-          requiredParameter('You must provide a config.subscriptionsPath to createSubscriptions!'),
-      }
-    );
-  }
-
   setGraphQLConfig(graphQLConfig: ParseGraphQLConfig): Promise {
     return this.parseGraphQLController.updateGraphQLConfig(graphQLConfig);
   }