From f79cb43be0e48aaec1e98aa92d7dc06398773aec Mon Sep 17 00:00:00 2001 From: Jesse Rosenberger Date: Tue, 27 Aug 2024 17:49:45 +0300 Subject: [PATCH] Changelog preparation before final release of v1.52.1 --- .changesets/fix_bryn_limits.md | 34 ---------------------------------- CHANGELOG.md | 24 ++++++++++++++++++++++++ 2 files changed, 24 insertions(+), 34 deletions(-) delete mode 100644 .changesets/fix_bryn_limits.md diff --git a/.changesets/fix_bryn_limits.md b/.changesets/fix_bryn_limits.md deleted file mode 100644 index 06918f6750..0000000000 --- a/.changesets/fix_bryn_limits.md +++ /dev/null @@ -1,34 +0,0 @@ -### Payload limits may exceed configured maximum ([Issue #ISSUE_NUMBER](https://github.com/apollographql/router/issues/ISSUE_NUMBER)) - -When processing requests the configured limits as defined in the `limits` section may be ignored: -```yaml -limits: - http_max_request_bytes: 2000000 -``` - -Plugins that execute services during the `router` lifecycle will not respect the configured limits. Potentially leading to a denial of service attack vector. - -#### Built features affected: -* Coprocessors configured to send the entire body of a request are vulnerable to this issue: -```yaml -coprocessor: - url: http://localhost:8080 - router: - request: - body: true -``` - -#### Fix details -Body size limits are now moved to earlier in the pipeline to ensure that coprocessors and user plugins respect -the configured limits. -Reading a request body past the configured limit will now abort the request and return a 413 response -to the client instead of delegating to the code reading the body to handle the error. - -#### User impact -Body size limits are now enforced for all requests in the main graphql router pipeline. Custom plugins are covered by -this and any attempt to read the body past the configured limit will abort the request and return a 413 response to the client. - -Coprocessors, rhai and native plugins do not have an opportunity to intercept aborted requests. It is advised to use -the telemetry features within the router if you need to track these events. - -By [@bryncooke](https://github.com/AUTHOR) in https://github.com/apollographql/router/pull/PULL_NUMBER diff --git a/CHANGELOG.md b/CHANGELOG.md index c2db241d92..8fc01da455 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,30 @@ All notable changes to Router will be documented in this file. This project adheres to [Semantic Versioning v2.0.0](https://semver.org/spec/v2.0.0.html). +# [1.52.1] - 2024-08-27 + +> [!IMPORTANT] +> If you have enabled [Distributed query plan caching](https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching), this release changes the hashing algorithm used for the cache keys. On account of this, you should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service. + +## 🔒 Security + +### CVE-2024-43783: Payload limits may exceed configured maximum + +Correct a denial-of-service vulnerability which, under certain non-default configurations below, made it possible to exceed the configured request payload maximums set with the [`limits.http_max_request_bytes`](https://www.apollographql.com/docs/router/configuration/overview/#http_max_request_bytes) option. + +This affects the following non-default Router configurations: + +1. Those configured to send request bodies to [External Coprocessors](https://www.apollographql.com/docs/router/customizations/coprocessor) where the `coprocessor.router.request.body` configuration option is set to `true`; or +2. Those which declare custom native Rust plugins using the `plugins` configuration where those plugins access the request body in the `RouterService` layer. + +Rhai plugins are **not** impacted. See the associated Github Advisory, [GHSA-x6xq-whh3-gg32](https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32), for more information. + +### CVE-2024-43414: Update query planner to resolve uncontrolled recursion + +Update the version of `@apollo/query-planner` used by Router to v2.8.5 which corrects an uncontrolled recursion weakness (classified as [CWE-674](https://cwe.mitre.org/data/definitions/674.html)) during query planning for complex queries on particularly complex graphs. + +This weakness impacts all versions of Router prior to this release. See the associated Github Advisory, [GHSA-fmj9-77q8-g6c4](https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4), for more information. + # [1.52.0] - 2024-07-30 ## 🚀 Features