Add integrity checks for GraphiQL CDN resources

Also fixes an erroneous assignment preventing a setting from getting to the UI.
2025-07-12 09:12:18 +03:00 · 2020-07-12 14:59:51 -04:00 · 2020-07-12 14:59:51 -04:00 · 38750c91a3
commit 38750c91a3
parent 6aa6aaaa8c
2 changed files with 31 additions and 7 deletions
--- a/graphene_django/templates/graphene/graphiql.html
+++ b/graphene_django/templates/graphene/graphiql.html
@ -17,19 +17,24 @@ add "&raw" to the end of the URL within a browser.
      width: 100%;
    }
  </style>
-  <link href="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.css"
+  <link href="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.css"
+        integrity="{{graphiql_css_sri}}"
        rel="stylesheet"
        crossorigin="anonymous" />
-  <script src="https://cdn.jsdelivr.net/npm/whatwg-fetch@2.0.3/fetch.min.js"
-          integrity="sha384-dcF7KoWRaRpjcNbVPUFgatYgAijf8DqW6NWuqLdfB5Sb4Cdbb8iHX7bHsl9YhpKa"
+  <script src="https://cdn.jsdelivr.net/npm/whatwg-fetch@{{whatwg_fetch_version}}/fetch.min.js"
+          integrity="{{whatwg_fetch_sri}}"
          crossorigin="anonymous"></script>
  <script src="https://cdn.jsdelivr.net/npm/react@{{react_version}}/umd/react.production.min.js"
+          integrity="{{react_sri}}"
          crossorigin="anonymous"></script>
  <script src="https://cdn.jsdelivr.net/npm/react-dom@{{react_version}}/umd/react-dom.production.min.js"
+          integrity="{{react_dom_sri}}"
          crossorigin="anonymous"></script>
  <script src="https://cdn.jsdelivr.net/npm/graphiql@{{graphiql_version}}/graphiql.min.js"
+          integrity="{{graphiql_sri}}"
          crossorigin="anonymous"></script>
-  <script src="https://cdn.jsdelivr.net/npm/subscriptions-transport-ws@{{subscriptions_transport_ws_version}}/browser/client.js"
+  <script src="https://cdn.jsdelivr.net/npm/subscriptions-transport-ws@{{subscriptions_transport_ws_version}}/browser/client.min.js"
+          integrity="{{subscriptions_transport_ws_sri}}"
          crossorigin="anonymous"></script>
 </head>
 <body>
--- a/graphene_django/views.py
+++ b/graphene_django/views.py
@ -52,10 +52,29 @@ def instantiate_middleware(middlewares):


 class GraphQLView(View):
-    graphiql_version = "1.0.3"
    graphiql_template = "graphene/graphiql.html"
+
+    # Polyfill for window.fetch.
+    whatwg_fetch_version = "3.2.0"
+    whatwg_fetch_sri = (
+        "sha384-tqVCX1cJQbZp7b0Kz6FIIK6WN71gjVLpkiJ/Ewi7OhBX6hUGuNq9Mj/TRqh47Tvk"
+    )
+
+    # React and ReactDOM.
    react_version = "16.13.1"
-    subscriptions_transport_ws_version = "0.9.16"
+    react_sri = "sha256-yUhvEmYVhZ/GGshIQKArLvySDSh6cdmdcIx0spR3UP4="
+    react_dom_sri = "sha256-vFt3l+illeNlwThbDUdoPTqF81M8WNSZZZt3HEjsbSU="
+
+    # The GraphiQL React app.
+    graphiql_version = "1.0.3"
+    graphiql_sri = "sha256-VR4buIDY9ZXSyCNFHFNik6uSe0MhigCzgN4u7moCOTk="
+    graphiql_css_sri = "sha256-LwqxjyZgqXDYbpxQJ5zLQeNcf7WVNSJ+r8yp2rnWE/E="
+
+    # The websocket transport library for subscriptions.
+    subscriptions_transport_ws_version = "0.9.17"
+    subscriptions_transport_ws_sri = (
+        "sha384-6gjV060PDpdaEOOO4n8iX7JHLAPFoHqrOizK4QbVtzVKxKcUGVbJ1wF9ujJmmQ7C"
+    )

    schema = None
    graphiql = False
@ -101,7 +120,7 @@ class GraphQLView(View):
        self.batch = self.batch or batch
        self.backend = backend
        if subscription_path is None:
-            subscription_path = graphene_settings.SUBSCRIPTION_PATH
+            self.subscription_path = graphene_settings.SUBSCRIPTION_PATH

        assert isinstance(
            self.schema, GraphQLSchema