Headline
CVE-2021-43801: Fix regression in handling badly formed JSON by mcollina · Pull Request #678 · mercurius-js/mercurius
Mercurius is a GraphQL adapter for Fastify. Any users from [email protected] to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to /graphql unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.
@@ -135,14 +135,27 @@ module.exports = async function (app, opts) {
const errorFormatter = typeof opts.errorFormatter === ‘function’ ? opts.errorFormatter : defaultErrorFormatter
if (typeof opts.errorHandler === ‘function’) {
app.setErrorHandler(opts.errorHandler)
app.setErrorHandler((error, request, reply) => {
const errorHandler = opts.errorHandler
if (!request[kRequestContext]) {
// Generate the context for this request
request[kRequestContext] = { reply, app }
**
This comment has been minimized.
**
Sign in to view
Loading
****wiktor-obrebski** Dec 2, 2021
Contributor
**
sorry for missing this.
@mcollina
should not we try to generate full context, like in other places?
if (contextFn) {
request\[kRequestContext\] \= await contextFn(request, reply)
Object.assign(request\[kRequestContext\], { reply, app })
} else {
request\[kRequestContext\] \= { reply, app }
}
**
This comment has been minimized.
**
Sign in to view
Loading
****mcollina** Dec 2, 2021
Author Collaborator
**
I just focused on fixing it asap. Open a fresh PR in case.
}
return errorHandler(error, request, reply)
})
} else if (opts.errorHandler === true || opts.errorHandler === undefined) {
app.setErrorHandler((error, request, reply) => {
if (!request[kRequestContext]) {
// Generate the context for this request
request[kRequestContext] = { reply, app }
}
const { statusCode, response } = errorFormatter(
error,
request[kRequestContext]
)
reply.code(statusCode).send(response)
return reply.code(statusCode).send(response)
})
}
const contextFn = opts.context