search

graphql / graphiql

GraphiQL & the GraphQL LSP Reference Ecosystem for building browser & IDE tools.
MIT License
15.98k stars 1.71k forks source link

[graphiql] [security vulnerability] GraphiQL leaking query in the URL #3711

Closed larscyl closed 2 weeks ago

larscyl commented 1 month ago

Is there an existing issue for this?

Current Behavior

When using GraphiQL, the whole query and content updates the URL to reflect the query in the URL query parameter ?query=.

image

If someone develops or debugs with sensitive data like passwords, keys,... these are then effectively leaked in the:

Expected Behavior

GraphiQL should not reflect the query in the URL, or make it an option disabled by default.

Steps To Reproduce

  1. Open GraphiQL
  2. Write any query
  3. Notice that the URL reflects the query and its contents

Environment

Anything else?

No response

acao commented 2 weeks ago

@larscyl it is disabled by default, only enabled in our demos with example code. stern warnings are provided. your implementation appears to have enabled this, so you need to take it up with them!

larscyl commented 2 weeks ago

@acao thanks for your swift response! Can you point out which option this is? I can't seem to locate it in the config API. I'm using graphql-yoga/node, so I'll create a ticket over there thereafter.