Apollo-server: [Bug] Apollo server v2 restarts when receives invalid multipart-request operation

Created on 9 Aug 2018 · 4Comments · Source: apollographql/apollo-server

I was testing my api with postman and found that if incorrect multipart request operation is executed the server just restarts.

Here's the example of request that I send to the server.

operations:{"query":"query ($file:Upload){me(file: $file) { _id }}", "variables" : }
map:{"0": ["variables.file"] }

Notice that I'm passing file variable of type Upload to a me query (where it should not be), as a result I get an error SyntaxError: Unexpected token } in JSON... And the app exits with code 1
I don't think that it's a desirable behaviour in such situation

Source

ghost

👍1

Most helpful comment

As I said in #1703, shouldn't these security issues be reported so that people are aware when they install this package? If the apollo team intends to wait for the node 6 LTS period to end, apollo users are stuck with an insecure version of the upload server (unless the fixes are backported) for a long time to come.

edevil on 24 Oct 2018

👍4

All 4 comments

This is because Apollo Server uses a fork of apollo-upload-server (recently renamed graphql-upload) at an outdated version; v5. This issue, and many others has been fixed in the following several major releases (currently v8): https://github.com/jaydenseric/graphql-upload/blob/master/changelog.md

jaydenseric on 20 Sep 2018

edevil on 24 Oct 2018

👍4

This should be fixed by #2054. As I've requested in that PR, I'd really appreciate anyone who is utilizing file uploads to try upgrading to the alpha which updates graphql-upload to v8. I've detailed the progress on this matter extensively in #2054, but the high-bit is that this should be ready to tried now in [email protected]. Please any problems (or successes!) you encounter with the upgrade, as the feedback will guide its final release.

Ref: https://github.com/apollographql/apollo-server/pull/2054#issuecomment-444471202