Various potential security issues within Appollo GraphQL iOS #3464
Comments
calvincestari
added
question
|
Hi @richardtop 👋🏻 You're correct in the assumption that SimpleUploadServer was exclusively to support test code. It has never been included in any of the iOS libraries.
|
|
Do you have any feedback for the maintainers? Please tell us by taking a one-minute survey. Your responses will help us understand Apollo iOS usage and allow us to serve you better. |
|
HI @calvincestari, appreciate for the thorough feedback. This is an important issue since it concerns the software security. Glad to get this kind of answer. Also, there is some issue, I see that my email to [email protected] has never been answered. i.e. are you monitoring that email actively? From my understanding that's the intent of the email, as to not raise these issues publicly, before they're correctly disclosed. I'm only disclosing these issues as I've suspected they were related to the testing code. |
|
Hi @richardtop ! I'm a security engineer at Apollo. I want to apologize for the lack of response to your email. We did receive the message to security@ and it automatically generated a ticket for us to work. It looks like the ticket was opened in a way where the messages I was trying to send to you from the ticket were being sent back to security@ rather than your email. I believe some anti-email-loop protections were preventing me from seeing that I was talking to myself. 😓 We'll check for any other tickets that may be in a similar state and sort out whatever issue obviously exists in the ticket creation process. |
|
Thanks for the follow-up. Looks like we've uncovered some more important security issue. Glad you were able to troubleshoot this. |
Summary
Hello,
I’d like to clarify a few potential security vulnerabilities related to the Apollo GraphQL code.
I’ve discovered a few security issues that might be relevant to the Apollo codebase, more specifically, they might be related to the test code.
Could you please clarify, whether any of these issues are known to you and/or whether they were related only to the test code.
https://github.com/apollographql/apollo-ios/tree/1.1.3/SimpleUploadServer
The issues are as follows:
https://cwe.mitre.org/data/definitions/23.html Path Traversal
Denial of Service (DoS)
Prototype Poisoning
Denial of Service (DoS) through Nested GraphQL Queries
Could you please confirm that this “SimpleUploadServer” has been used exclusively for testing?
I cannot see this server present in the newest versions of the Apollo GraphQL (1.15.2), could you please explain why it was removed?
If that server has been used for anything other than the test code, I can provide more details regarding those security issues. Otherwise, it’s clear, that those are non-issues, as the testing code wasn’t used in the production systems and those vulnerabilities couldn’t have been exploited.
Version
1.1.3
Steps to reproduce the behavior
Logs
No response
Anything else?
I've tried to reach thru [email protected], but received no reply. Please get in touch with me to discuss these issues in detail.
The text was updated successfully, but these errors were encountered: