From 0686ba0d6ff4b48455505d3389c3b2cf5ba17197 Mon Sep 17 00:00:00 2001 From: Kevin Lowe Date: Sat, 12 Nov 2022 13:08:13 -0800 Subject: [PATCH] Add ability to configure graphiql version. Introduces 3 new settings that will be used when rendering the template: GRAPHIQL_VERSION = Version number string GRAPHIQL_VERSION_JS_SRI = String value of file hash for js file. GRAPHIQL_VERSION_CSS_SRI = String value of file hash for css file. Sets current default value of GraphIQL to 1.4.7 This is the minimum version that addresses and XSS vulnerability. https://github.com/graphql/graphiql/blob/main/docs/security/2021-introspection-schema-xss.md --- graphene_django/settings.py | 8 ++++++++ graphene_django/views.py | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/graphene_django/settings.py b/graphene_django/settings.py index 9c7dc38..392fccc 100644 --- a/graphene_django/settings.py +++ b/graphene_django/settings.py @@ -43,6 +43,14 @@ DEFAULTS = { "GRAPHIQL_SHOULD_PERSIST_HEADERS": False, "ATOMIC_MUTATIONS": False, "TESTING_ENDPOINT": "/graphql", + "GRAPHIQL_VERSION": "1.4.7", + "GRAPHIQL_VERSION_JS_SRI": ( + "sha384-sDK9xvE5fVRiyOv5lVbh5UuWUMkwvU3G67VYzLX2G1WMIeQ7fKOLCmeKnzfrukdv" + ), + "GRAPHIQL_VERSION_CSS_SRI": ( + "sha384-1YHEU+Xy8hlKYAZ26WTz+JQEPMM6i/Mx5m8umMkSZChlzSYmq7RqyCyRbGqrILVZ" + ), + } if settings.DEBUG: diff --git a/graphene_django/views.py b/graphene_django/views.py index e772d53..5428891 100644 --- a/graphene_django/views.py +++ b/graphene_django/views.py @@ -66,9 +66,9 @@ class GraphQLView(View): react_dom_sri = "sha256-nbMykgB6tsOFJ7OdVmPpdqMFVk4ZsqWocT6issAPUF0=" # The GraphiQL React app. - graphiql_version = "1.4.1" # "1.0.3" - graphiql_sri = "sha256-JUMkXBQWZMfJ7fGEsTXalxVA10lzKOS9loXdLjwZKi4=" # "sha256-VR4buIDY9ZXSyCNFHFNik6uSe0MhigCzgN4u7moCOTk=" - graphiql_css_sri = "sha256-Md3vdR7PDzWyo/aGfsFVF4tvS5/eAUWuIsg9QHUusCY=" # "sha256-LwqxjyZgqXDYbpxQJ5zLQeNcf7WVNSJ+r8yp2rnWE/E=" + graphiql_version = graphene_settings.GRAPHIQL_VERSION + graphiql_sri = graphene_settings.GRAPHIQL_VERSION_JS_SRI + graphiql_css_sri = graphene_settings.GRAPHIQL_VERSION_CSS_SRI # The websocket transport library for subscriptions. subscriptions_transport_ws_version = "0.9.18"