Skip to content

Prevent accessing response object's prototype chain #3396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
duckki merged 19 commits into from
Mar 13, 2026
Merged

Prevent accessing response object's prototype chain #3396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
bde9e2b
Fix bug in property initialization in `deepMerge()`
sachindshinde Mar 6, 2026
e6445a5
Cleanup previously added prototype manipulation tests, and align them…
sachindshinde Mar 9, 2026
40cc999
Move property initialization logic into its own utility function.
sachindshinde Mar 9, 2026
36324ca
Add tests for prototype manipulation for Operation.collectDefaultedVa…
sachindshinde Mar 5, 2026
2226f9c
Fix bug in Operation.collectDefaultedVariableValues() where it would …
sachindshinde Mar 5, 2026
b609076
Fix bug in computeResponse() where it would not use a null-prototype …
sachindshinde Mar 6, 2026
5e8f4bd
Add test for prototype manipulation for computeResponse().
sachindshinde Mar 9, 2026
f8f2c74
Fix bug in computeResponse() where it would read non-own properties.
sachindshinde Mar 9, 2026
1de3dee
Although not strictly necessary, defensively use getOwn() in executeI…
sachindshinde Mar 9, 2026
d644565
Add test for prototype manipulation when reading provided variables i…
sachindshinde Mar 9, 2026
fb69297
Fix bug in executeFetch() where it would read non-own properties from…
sachindshinde Mar 9, 2026
17712d5
Add test for prototype manipulation when reading variables in evaluat…
sachindshinde Mar 9, 2026
496499e
Fix bug in evaluateCondition() where it would read non-own properties…
sachindshinde Mar 9, 2026
8dab1da
Fix bugs in data-rewrite logic called by executeFetch().
sachindshinde Mar 9, 2026
0117b08
Fix bug in generateHydratedPaths() where it would read non-own proper…
sachindshinde Mar 9, 2026
84700f7
Fix bug in executeSelectionSet() where it would read non-own properti…
sachindshinde Mar 9, 2026
bc10360
Fix bug in flattenResultsAtPath() where it would read non-own propert…
sachindshinde Mar 9, 2026
f313ad5
Add changeset
duckki Mar 12, 2026
5f9a9b3
Temporarily add GHSA IDs to cspell, we'll fix it later
sachindshinde Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .changeset/cute-planets-move.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
"@apollo/query-planner": patch
"@apollo/federation-internals": patch
"@apollo/gateway": patch
---

Fixed several code paths that access response objects to prevent JavaScript prototype pollution and unintended access to the prototype chain.

See the associated GitHub Advisories [GHSA-pfjj-6f4p-rvmh](https://github.com/apollographql/federation/security/advisories/GHSA-pfjj-6f4p-rvmh) for more information.
2 changes: 2 additions & 0 deletions .cspell/cspell-dict.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,3 +291,5 @@ webp
whith
wizz
woudl
pfjj
rvmh
Loading
Loading