Bump graphql-dgs-platform-dependencies from latest.release to 5.0.3

[dependabot]

Bumps graphql-dgs-platform-dependencies from latest.release to 5.0.3.

Release notes

Sourced from graphql-dgs-platform-dependencies's releases.

v5.0.3

What’s Changed

Fixes

• Input argument without @​InputArgument("input") stopped working (#1102) @​berngp
• Pass MultipartFile class to StdSerializer base class in MultipartFileSerializer (#1095) @​kilink

v5.0.2

What’s Changed

Fixes

• Addressing DgsGraphQLMetricsInstrumentation Latency increase (#1092) @​berngp
• DgsSchemaProvider API to expose resolved Datafetchers & field instrumentation (#1090) @​berngp

Chores

• Removed unsued LogEvent class (#1086) @​berngp
• Adopt Gradle JVM Toolchain (#1085) @​berngp
• Refactor InputArgumentTest (#1084) @​berngp
• chore(deps): Bump graphql-java-extended-validation to 18.1-hibernate-validator-6.2.0.Final (#1080) @​setchy

v5.0.1

What’s Changed

• Fix how the GraphQLCSRFRequestHeaderValidationRule compares the content-type (#1079) @​berngp

v5.0.0

We are releasing a major version for DGS to address a CSRF vulnerability. This version adds a breaking change for callers that target the GraphQL Endpoint, /graphql by default, and don't explicit set the content-type to be one of either application/json, application/graphql, or multipart/form-data, the latter use for file upload. If a client is using multipart/form-data they will now need to include a preflight header that matches any of "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight".

TL;DR

• DGS will only accept requests with content-type of application/json, application/graphql, and multipart/form-data.
• DGS will enforce a preflight header if the content-type is multipart/form-data. Acceptable preflight headers are "x-apollo-operation-name", "apollo-require-preflight", or "graphql-require-preflight"

Application developers should provide a sensible CORS policy, doing so is out of scope of the DGS framework but available via Spring Boot and Spring Security.

Although not recommended you can disable the preflight check by setting dgs.graphql.header.validation.enabled to false.

Context

There could be a potential CSRF attacks that can leverage the execution of JS code attached to a content-type: multipart/form-data, or other content-types which will not force the browsers to do a preflight check and enforce the CORS policy. Application developers should provide a sensible CORS policy as well as, if they use cookies, a sensible cookie SameSite policy.

DGS MVC supports the execution of GraphQL operations via HTTP POST requests with content-type: multipart/form-data. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not preflighted by browsers.

Spring Boot applications using DGS that set SameSite=None cookies for authentication are then open to JS code from any origin can that can cause browsers to send cookie-authenticated Mutations to the GraphQL endpoint, this will then be executed without checking your CORS policy first. Although the attack won't be able to see the response to the mutation if your CORS policy is set up properly, the side effects of the mutation will still occur.

In addition, if the Spring Boot application using DGS relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a private network), then JS on any origin can cause browsers (which may be on a private network or have an allowed IP address) to send mutations to your GraphQL server, which will be executed without checking your CORS policy first. (This attack does not require your server to use cookies. It is in some cases prevented by some browsers such as Chrome.)

For additional context visit [Apollo Server 2 graphql-upload CSRF Page].

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #86.