+ "details": "# Summary\nA vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/or `@fromContext` directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.\n\n## Details\nApollo Federation allows users to specify [`@authenticated`, `@requiresScopes`, and `@policy` directives](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives) to protect fields at the field level. The `@requires` directive allows a field to depend on data from other fields in the schema, and `@fromContext` allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using `@requires` or `@fromContext` have the same access control as the fields they depend on. \n\nAt execution time, when a field decorated with `@requires` or `@fromContext` was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy `@requires` or `@fromContext` but not directly requested) their access control requirements were silently ignored.\n\nThis discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.\n\n## Who is impacted\nThis vulnerability impacts Apollo Federation customers with supergraphs defining `@authenticated`, `@requiresScopes`, or `@policy` directives on fields that are also specified as dependencies in `@requires` or `@fromContext` directives.\n\n### Scope of Impact\nThe vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via `@requires` or `@fromContext`) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements. \n\n## Patches\nThis vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on `@requires` and `@fromContext` dependency fields match the resolving field's requirements.\n\n_Note that this is a breaking change to Apollo Federation, as it no longer allows fields using `@requires` or `@fromContext` to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using `@requires` or `@fromContext` match the access control directives on the referenced fields._\n\nIf you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\nIf you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, [if necessary](https://www.apollographql.com/docs/graphos/platform/graph-management/updates#recommended-update-order)) to one of the following versions:\n\n- 2.9.5+\n- 2.10.4+\n- 2.11.5+\n- 2.12.1+\n\nYou will then need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\n## Workarounds\n- If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via `@requires` or `@fromContext` and explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly.\n* Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not using `@requires` or `@fromContext` directives in combination with field-level access control are not affected and do not need to take action.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments