Merge pull request #942 from graphql-java-kickstart/941-support-check-origin-for-websocket-to-secure-against-cross-site-attacks

fix: check allowed origins for websocket subscription

Author: oliemansm

build.gradle

@@ -49,7 +49,7 @@ subprojects {
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
 
-    ext['graphql-java.version'] = '19.1'
+    ext['graphql-java.version'] = "$LIB_GRAPHQL_JAVA_VER"
 
     repositories {
         mavenLocal()

gradle.properties

@@ -16,7 +16,7 @@
 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 # FROM, OUT OF OR IN CONNECTION WITH THE  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-version=15.0.1-SNAPSHOT
+version=15.1.0-SNAPSHOT
 ### Project Metadata
 group=com.graphql-java-kickstart
 PROJECT_NAME=graphql-spring-boot
@@ -32,7 +32,7 @@ TARGET_COMPATIBILITY=17
 LIB_GRAPHQL_JAVA_VER=20.2
 LIB_EXTENDED_SCALARS_VER=19.1
 LIB_SPRING_BOOT_VER=3.0.6
-LIB_GRAPHQL_SERVLET_VER=15.0.0
+LIB_GRAPHQL_SERVLET_VER=15.1.0-SNAPSHOT
 LIB_GRAPHQL_JAVA_TOOLS_VER=13.0.3
 LIB_GRAPHQL_ANNOTATIONS_VER=9.1
 LIB_REFLECTIONS_VER=0.10.2

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLSubscriptionWebsocketProperties.java

@@ -1,5 +1,8 @@
 package graphql.kickstart.autoconfigure.web.servlet;
 
+import static java.util.Collections.emptyList;
+
+import java.util.List;
 import lombok.Data;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
@@ -8,4 +11,5 @@
 class GraphQLSubscriptionWebsocketProperties {
 
   private String path = "/subscriptions";
+  private List<String> allowedOrigins = emptyList();
 }

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWebsocketAutoConfiguration.java

@@ -35,7 +35,6 @@
 @ConditionalOnWebApplication(type = Type.SERVLET)
 @ConditionalOnClass({DispatcherServlet.class, ServerEndpointRegistration.class})
 @Conditional(OnSchemaOrSchemaProviderBean.class)
-@SuppressWarnings("SpringJavaInjectionPointsAutowiringInspection")
 @ConditionalOnProperty(
     value = "graphql.servlet.websocket.enabled",
     havingValue = "true",
@@ -63,7 +62,11 @@ public GraphQLWebsocketServlet graphQLWebsocketServlet(
     }
     keepAliveListener().ifPresent(listeners::add);
     return new GraphQLWebsocketServlet(
-        graphQLInvoker, invocationInputFactory, graphQLObjectMapper, listeners);
+        graphQLInvoker,
+        invocationInputFactory,
+        graphQLObjectMapper,
+        listeners,
+        websocketProperties.getAllowedOrigins());
   }
 
   private Optional<SubscriptionConnectionListener> keepAliveListener() {

graphql-spring-boot-autoconfigure/src/main/java/graphql/kickstart/autoconfigure/web/servlet/GraphQLWsServerEndpointRegistration.java

@@ -18,6 +18,11 @@ public GraphQLWsServerEndpointRegistration(String path, GraphQLWebsocketServlet
     this.servlet = servlet;
   }
 
+  @Override
+  public boolean checkOrigin(String originHeaderValue) {
+    return servlet.checkOrigin(originHeaderValue);
+  }
+
   @Override
   public void modifyHandshake(
       ServerEndpointConfig sec, HandshakeRequest request, HandshakeResponse response) {

graphql-spring-boot-test/build.gradle

@@ -22,7 +22,6 @@ dependencies {
     implementation("com.fasterxml.jackson.core:jackson-databind")
     implementation("com.jayway.jsonpath:json-path")
     implementation "org.awaitility:awaitility:$LIB_AWAITILITY_VER"
-    compileOnly("com.graphql-java:graphql-java:$LIB_GRAPHQL_JAVA_VER")
     compileOnly("com.graphql-java-kickstart:graphql-java-servlet:$LIB_GRAPHQL_SERVLET_VER")
     testImplementation("org.springframework.boot:spring-boot-starter-web")
     testImplementation "org.springframework.boot:spring-boot-starter-websocket"