From 38750c91a3b30c147241cb30a293cffec27c2892 Mon Sep 17 00:00:00 2001
From: Eric Abruzzese <eric.abruzzese@gmail.com>
Date: Sun, 12 Jul 2020 14:59:51 -0400
Subject: [PATCH] Add integrity checks for GraphiQL CDN resources

Also fixes an erroneous assignment preventing a setting from getting to
the UI.
---
 .../templates/graphene/graphiql.html          | 13 +++++++---
 graphene_django/views.py                      | 25 ++++++++++++++++---
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/graphene_django/templates/graphene/graphiql.html b/graphene_django/templates/graphene/graphiql.html
index 20ac1d0..2d10c52 100644
--- a/graphene_django/templates/graphene/graphiql.html
+++ b/graphene_django/templates/graphene/graphiql.html
@@ -17,19 +17,24 @@ add "&raw" to the end of the URL within a browser.
       width: 100%;
     }
   </style>
-  <link href="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.css"
+  <link href="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.css"
+        integrity="{{graphiql_css_sri}}"
         rel="stylesheet"
         crossorigin="anonymous" />
-  <script src="https://cdn.jsdelivr.net/npm/whatwg-fetch@2.0.3/fetch.min.js"
-          integrity="sha384-dcF7KoWRaRpjcNbVPUFgatYgAijf8DqW6NWuqLdfB5Sb4Cdbb8iHX7bHsl9YhpKa"
+  <script src="https://cdn.jsdelivr.net/npm/whatwg-fetch@{{whatwg_fetch_version}}/fetch.min.js"
+          integrity="{{whatwg_fetch_sri}}"
           crossorigin="anonymous"></script>
   <script src="https://cdn.jsdelivr.net/npm/react@{{react_version}}/umd/react.production.min.js"
+          integrity="{{react_sri}}"
           crossorigin="anonymous"></script>
   <script src="https://cdn.jsdelivr.net/npm/react-dom@{{react_version}}/umd/react-dom.production.min.js"
+          integrity="{{react_dom_sri}}"
           crossorigin="anonymous"></script>
   <script src="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.js"
+          integrity="{{graphiql_sri}}"
           crossorigin="anonymous"></script>
-  <script src="https://cdn.jsdelivr.net/npm/subscriptions-transport-ws@{{subscriptions_transport_ws_version}}/browser/client.js"
+  <script src="https://cdn.jsdelivr.net/npm/subscriptions-transport-ws@{{subscriptions_transport_ws_version}}/browser/client.min.js"
+          integrity="{{subscriptions_transport_ws_sri}}"
           crossorigin="anonymous"></script>
 </head>
 <body>
diff --git a/graphene_django/views.py b/graphene_django/views.py
index 22b4864..488e0dc 100644
--- a/graphene_django/views.py
+++ b/graphene_django/views.py
@@ -52,10 +52,29 @@ def instantiate_middleware(middlewares):
 
 
 class GraphQLView(View):
-    graphiql_version = "1.0.3"
     graphiql_template = "graphene/graphiql.html"
+
+    # Polyfill for window.fetch.
+    whatwg_fetch_version = "3.2.0"
+    whatwg_fetch_sri = (
+        "sha384-tqVCX1cJQbZp7b0Kz6FIIK6WN71gjVLpkiJ/Ewi7OhBX6hUGuNq9Mj/TRqh47Tvk"
+    )
+
+    # React and ReactDOM.
     react_version = "16.13.1"
-    subscriptions_transport_ws_version = "0.9.16"
+    react_sri = "sha256-yUhvEmYVhZ/GGshIQKArLvySDSh6cdmdcIx0spR3UP4="
+    react_dom_sri = "sha256-vFt3l+illeNlwThbDUdoPTqF81M8WNSZZZt3HEjsbSU="
+
+    # The GraphiQL React app.
+    graphiql_version = "1.0.3"
+    graphiql_sri = "sha256-VR4buIDY9ZXSyCNFHFNik6uSe0MhigCzgN4u7moCOTk="
+    graphiql_css_sri = "sha256-LwqxjyZgqXDYbpxQJ5zLQeNcf7WVNSJ+r8yp2rnWE/E="
+
+    # The websocket transport library for subscriptions.
+    subscriptions_transport_ws_version = "0.9.17"
+    subscriptions_transport_ws_sri = (
+        "sha384-6gjV060PDpdaEOOO4n8iX7JHLAPFoHqrOizK4QbVtzVKxKcUGVbJ1wF9ujJmmQ7C"
+    )
 
     schema = None
     graphiql = False
@@ -101,7 +120,7 @@ class GraphQLView(View):
         self.batch = self.batch or batch
         self.backend = backend
         if subscription_path is None:
-            subscription_path = graphene_settings.SUBSCRIPTION_PATH
+            self.subscription_path = graphene_settings.SUBSCRIPTION_PATH
 
         assert isinstance(
             self.schema, GraphQLSchema