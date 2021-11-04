Note: The primary maintainer @acao is on hiatus until December 2020
SECURITY WARNING: both
graphql-playground-htmland all four (4) of it's middleware dependents until
graphql-playground-html@1.6.22were subject to an XSS Reflection attack vulnerability only to unsanitized user input strings to the functions therein. This was resolved in
graphql-playground-html@^1.6.22. More Information CVE-2020-4038
Future of this repository: see the announcement issue for details.
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).
$ brew install --cask graphql-playground
NOTE: only unsanitized user input to the functions in these packages is vulnerable to the recently reported XSS Reflection attack.
Impacted are any and all unsanitized user-defined input to: -
renderPlaygroundPage()-
koaPlayground()-
expressPlayground()-
koaPlayground()-`lambdaPlayground()
If you used static values, such as
graphql-playground-electrondoes in it's webpack config, as well as the most common middleware implementations out there, they were not vulnerable to the attack.
The only reason this vulnerability exists is because we are using template strings in
renderPlaygroundPage() with potentially unsanitized user defined variables. This allows an attacker to inject html and javascript into the page.
Common examples may be user-defined path parameters, query string, unsanitized UI provided values in database, etc., that are used to build template strings or passed directly to a
renderPlaygroundPage() or the matching middleware function equivalent listed above.
All versions of these packages are impacted until the ones specified below, which are now safe for user defined input:
graphql-playground-html: ☔ safe @
1.6.22
graphql-playground-express ☔ safe @
1.7.16
graphql-playground-koa ☔ safe @
1.6.15
graphql-playground-hapi ☔ safe @
1.6.13
graphql-playground-lambda ☔ safe @
1.7.17
graphql-playground-electron has always been ☔ safe from XSS attacks! This is because configuration is statically defined it's webpack config
graphql-playground-react is safe because it does not use
renderPlaygroundPage() anywhere, and thus is not susceptible to template string XSS reflection attacks.
See the security docs for more details on how your implementation might be impacted by this vulnerability. It contains safe examples, unsafe examples, workarounds, and more details.
We've also provided 'an example of the xss using the express middleware
GraphQL Playground uses components of GraphiQL under the hood but is meant as a more powerful GraphQL IDE enabling better (local) development workflows. Compared to GraphiQL, the GraphQL Playground ships with the following additional features:
See the following question for more additonal features.
The desktop app is the same as the web version but includes these additional features:
*.graphql files.
You can easily share your Playgrounds with others by clicking on the "Share" button and sharing the generated link. You can think about GraphQL Bin like Pastebin for your GraphQL queries including the context (endpoint, HTTP headers, open tabs etc).
You can also find the announcement blog post here.
In the top right corner of the Playground window you can click on the settings icon. These are the settings currently available:
{
'editor.cursorShape': 'line', // possible values: 'line', 'block', 'underline'
'editor.fontFamily': `'Source Code Pro', 'Consolas', 'Inconsolata', 'Droid Sans Mono', 'Monaco', monospace`,
'editor.fontSize': 14,
'editor.reuseHeaders': true, // new tab reuses headers from last tab
'editor.theme': 'dark', // possible values: 'dark', 'light'
'general.betaUpdates': false,
'prettier.printWidth': 80,
'prettier.tabWidth': 2,
'prettier.useTabs': false,
'request.credentials': 'omit', // possible values: 'omit', 'include', 'same-origin'
'schema.polling.enable': true, // enables automatic schema polling
'schema.polling.endpointFilter': '*localhost*', // endpoint filter for schema polling
'schema.polling.interval': 2000, // schema polling interval in ms
'schema.disableComments': boolean,
'tracing.hideTracingResponse': true,
'tracing.tracingSupported': true, // set false to remove x-apollo-tracing header from Schema fetch requests
}
The React component
<Playground /> and all middlewares expose the following options:
props (Middlewares & React Component)
endpoint
string - the GraphQL endpoint url.
subscriptionEndpoint
string - the GraphQL subscriptions endpoint url.
workspaceName
string - in case you provide a GraphQL Config, you can name your workspace here
config
string - the JSON of a GraphQL Config. See an example here
settings
ISettings - Editor settings in json format as described here
interface ISettings {
'editor.cursorShape': 'line' | 'block' | 'underline'
'editor.fontFamily': string
'editor.fontSize': number
'editor.reuseHeaders': boolean
'editor.theme': 'dark' | 'light'
'general.betaUpdates': boolean
'prettier.printWidth': number
'prettier.tabWidth': number
'prettier.useTabs': boolean
'request.credentials': 'omit' | 'include' | 'same-origin'
'request.globalHeaders': { [key: string]: string }
'schema.polling.enable': boolean
'schema.polling.endpointFilter': string
'schema.polling.interval': number
'schema.disableComments': boolean
'tracing.hideTracingResponse': boolean
'tracing.tracingSupported': boolean
}
schema
IntrospectionResult - The result of an introspection query (an object of this form:
{__schema: {...}}) The playground automatically fetches the schema from the endpoint. This is only needed when you want to override the schema.
tabs
Tab[] - An array of tabs to inject. Note: When using this feature, tabs will be resetted each time the page is reloaded
interface Tab {
endpoint: string
query: string
name?: string
variables?: string
responses?: string[]
headers?: { [key: string]: string }
}
In addition to this, the React app provides some more properties:
props (React Component)
createApolloLink [
(session: Session, subscriptionEndpoint?: string) => ApolloLink] - this is the equivalent to the
fetcher of GraphiQL. For each query that is being executed, this function will be called
createApolloLink is only available in the React Component and not the middlewares, because the content must be serializable as it is being printed into a HTML template.
If you simply want to render the Playground HTML on your own, for example when implementing a GraphQL Server, there are 2 options for you:
Note: In case you do not want to serve assets from a CDN (like jsDelivr) and instead use a local copy, you will need to install
graphql-playground-react from npm, and then replace all instances of
//cdn.jsdelivr.net/npm with
./node_modules. An example can be found here
yarn add graphql-playground-react
GraphQL Playground provides a React component responsible for rendering the UI and Session management.
There are 3 dependencies needed in order to run the
graphql-playground-react React component.
<Playground /> component
The GraphQL Playground requires React 16.
Including Fonts (
1.)
<link
href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700|Source+Code+Pro:400,700"
rel="stylesheet"
/>
Including stylesheet and the component (
2., 3.)
import React from 'react'
import ReactDOM from 'react-dom'
import { Provider } from 'react-redux'
import { Playground, store } from 'graphql-playground-react'
ReactDOM.render(
<Provider store={store}>
<Playground endpoint='https://api.graph.cool/simple/v1/swapi' />
</Provider>,
document.body,
)
# Pick the one that matches your server framework
yarn add graphql-playground-middleware-express # for Express or Connect
yarn add graphql-playground-middleware-hapi
yarn add graphql-playground-middleware-koa
yarn add graphql-playground-middleware-lambda
We have a full example for each of the frameworks below:
Express: See packages/graphql-playground-middleware-express/examples/basic
Lambda (as serverless handler): See serverless-graphql-apollo or a quick example below.
yarn add graphql-playground-middleware-lambda
handler.js
import lambdaPlayground from 'graphql-playground-middleware-lambda'
// or using require()
// const lambdaPlayground = require('graphql-playground-middleware-lambda').default
exports.graphqlHandler = function graphqlHandler(event, context, callback) {
function callbackFilter(error, output) {
// eslint-disable-next-line no-param-reassign
output.headers['Access-Control-Allow-Origin'] = '*'
callback(error, output)
}
const handler = graphqlLambda({ schema: myGraphQLSchema })
return handler(event, context, callbackFilter)
}
exports.playgroundHandler = lambdaPlayground({
endpoint: '/dev/graphql',
})
serverless.yml
functions:
graphql:
handler: handler.graphqlHandler
events:
- http:
path: graphql
method: post
cors: true
playground:
handler: handler.playgroundHandler
events:
- http:
path: playground
method: get
cors: true
There is an XSS Reflection Vulnerability when using these middlewares with unsanitized user input before
$ cd packages/graphql-playground-react
$ yarn
$ yarn start
Open localhost:3000/localDev.html?endpoint=https://api.graph.cool/simple/v1/swapi for local development!
This repository is managed by EasyCLA. Project participants must sign the free (GraphQL Specification Membership agreement before making a contribution. You only need to do this one time, and it can be signed by individual contributors or their employers.
To initiate the signature process please open a PR against this repo. The EasyCLA bot will block the merge if we still need a membership agreement from you.
You can find detailed information here. If you have issues, please email operations@graphql.org.
If your company benefits from GraphQL and you would like to provide essential financial support for the systems and people that power our community, please also consider membership in the GraphQL Foundation.
From
graphql-playground-react@1.7.0 on you can provide a
codeTheme property to the React Component to customize your color theme.
These are the available options:
export interface EditorColours {
property: string
comment: string
punctuation: string
keyword: string
def: string
qualifier: string
attribute: string
number: string
string: string
builtin: string
string2: string
variable: string
meta: string
atom: string
ws: string
selection: string
cursorColor: string
editorBackground: string
resultBackground: string
leftDrawerBackground: string
rightDrawerBackground: string
}
This is repository is a "mono repo" and contains multiple packages using Yarn workspaces. Please be aware that versions are not synchronised between packages. The versions of the release page refer to the electron app.
In the folder
packages you'll find the following packages:
graphql-playground-electron: Cross-platform electron app which uses
graphql-playground-react
graphql-playground-html: Simple HTML page rendering a version of
graphql-playground-react hosted on JSDeliver
graphql-playground-middleware-express: Express middleware using
graphql-playground-html
graphql-playground-middleware-hapi: Hapi middleware using
graphql-playground-html
graphql-playground-middleware-koa: Koa middleware using
graphql-playground-html
graphql-playground-middleware-lambda: AWS Lambda middleware using
graphql-playground-html
graphql-playground-react: Core of GraphQL Playground built with ReactJS
Join our Discord Server if you run into issues or have questions. We love talking to you!