release: v1.52.1 (#5892)

apollographql · Aug 27, 2024 · e730d6a · e730d6a
2 parents 837c0ce + f79cb43
commit e730d6a
Show file tree

Hide file tree

Showing 44 changed files with 1,702 additions and 585 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -87,6 +87,10 @@ parameters:
   nightly:
     type: boolean
     default: false
+  # quick_nightly will skip testing and only build the release artifacts.
+  quick_nightly:
+    type: boolean
+    default: false
 
 # These are common environment variables that we want to set on on all jobs.
 # While these could conceivably be set on the CircleCI project settings'
@@ -626,6 +630,7 @@ jobs:
       RELEASE_BIN: router
       APPLE_TEAM_ID: "YQK948L752"
       APPLE_USERNAME: "opensource@apollographql.com"
+      REPO_URL: << pipeline.project.git_url >>
     steps:
       - checkout
       - setup_environment:
@@ -724,18 +729,32 @@ jobs:
             and:
               - equal: [ *amd_linux_build_executor, << parameters.platform >> ]
               - equal: [ true, << parameters.nightly >> ]
-              - equal: [ "https://github.com/apollographql/router", << pipeline.project.git_url >> ]
+              - matches:
+                  pattern: "^https:\\/\\/github\\.com\\/apollographql\\/router.*$"
+                  value: << pipeline.project.git_url >>
           steps:
             - setup_remote_docker:
                 version: 20.10.11
                 docker_layer_caching: true
             - run:
                 name: Docker build
                 command: |
+                  # Source of the new image will be ser to the repo URL.
+                  # This will have the effect of setting org.opencontainers.image.source and org.opencontainers.image.author to the originating pipeline
+                  # Therefore the docker image will have the same permissions as the originating project. 
+                  # See: https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package#connecting-a-repository-to-a-container-image-using-the-command-line
+                  
                   BASE_VERSION=$(cargo metadata --format-version=1 --no-deps | jq --raw-output '.packages[0].version')
                   ARTIFACT_URL="https://output.circle-artifacts.com/output/job/${CIRCLE_WORKFLOW_JOB_ID}/artifacts/0/artifacts/router-v${BASE_VERSION}-x86_64-unknown-linux-gnu.tar.gz"
                   VERSION="v$(echo "${BASE_VERSION}" | tr "+" "-")"
                   ROUTER_TAG=ghcr.io/apollographql/nightly/router
+                  
+                  echo "REPO_URL: ${REPO_URL}"
+                  echo "BASE_VERSION: ${BASE_VERSION}"
+                  echo "ARTIFACT_URL: ${ARTIFACT_URL}"
+                  echo "VERSION: ${VERSION}"
+                  echo "ROUTER_TAG: ${ROUTER_TAG}"
+                  
                   # Create a multi-arch builder which works properly under qemu
                   docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
                   docker context create buildx-build
@@ -745,10 +764,10 @@ jobs:
                   echo ${GITHUB_OCI_TOKEN} | docker login ghcr.io -u apollo-bot2 --password-stdin
                   # TODO: Can't figure out how to build multi-arch image from ARTIFACT_URL right now. Figure out later...
                   # Build and push debug image
-                  docker buildx build --load --platform linux/amd64 --build-arg ARTIFACT_URL="${ARTIFACT_URL}" --build-arg DEBUG_IMAGE="true" --build-arg ROUTER_RELEASE=${VERSION} -f dockerfiles/Dockerfile.router -t ${ROUTER_TAG}:${VERSION}-debug .
+                  docker buildx build --load --platform linux/amd64 --build-arg CIRCLE_TOKEN="${CIRCLE_TOKEN}" --build-arg REPO_URL="${REPO_URL}" --build-arg ARTIFACT_URL="${ARTIFACT_URL}" --build-arg DEBUG_IMAGE="true" --build-arg ROUTER_RELEASE=${VERSION} -f dockerfiles/Dockerfile.router -t ${ROUTER_TAG}:${VERSION}-debug .
                   docker push ${ROUTER_TAG}:${VERSION}-debug
                   # Build and push release image
-                  docker buildx build --load --platform linux/amd64 --build-arg ARTIFACT_URL="${ARTIFACT_URL}" --build-arg ROUTER_RELEASE=${VERSION} -f dockerfiles/Dockerfile.router -t ${ROUTER_TAG}:${VERSION} .
+                  docker buildx build --load --platform linux/amd64 --build-arg CIRCLE_TOKEN="${CIRCLE_TOKEN}" --build-arg REPO_URL="${REPO_URL}" --build-arg ARTIFACT_URL="${ARTIFACT_URL}" --build-arg ROUTER_RELEASE=${VERSION} -f dockerfiles/Dockerfile.router -t ${ROUTER_TAG}:${VERSION} .
                   docker push ${ROUTER_TAG}:${VERSION}
                   # save containers for analysis
                   mkdir built-containers
@@ -920,7 +939,10 @@ jobs:
 workflows:
   ci_checks:
     when:
-      not: << pipeline.parameters.nightly >>
+      not:
+        or:
+          - << pipeline.parameters.nightly >>
+          - << pipeline.parameters.quick_nightly >>
     jobs:
       - lint:
           matrix:
@@ -954,6 +976,18 @@ workflows:
               platform:
                 [ macos_test, windows_test, amd_linux_test, arm_linux_test ]
 
+  quick-nightly:
+    when: << pipeline.parameters.quick_nightly >>
+    jobs:
+      - build_release:
+          nightly: true
+          context:
+            - router
+            - orb-publishing
+          matrix:
+            parameters:
+              platform:
+                [ macos_build, windows_build, amd_linux_build, arm_linux_build ]
   nightly:
     when: << pipeline.parameters.nightly >>
     jobs:
@@ -993,7 +1027,9 @@ workflows:
             - test
             - test_updated
           nightly: true
-          context: router
+          context:
+            - router
+            - orb-publishing
           matrix:
             parameters:
               platform:
@@ -1020,7 +1056,10 @@ workflows:
 
   release:
     when:
-      not: << pipeline.parameters.nightly >>
+      not:
+        or:
+          - << pipeline.parameters.nightly >>
+          - << pipeline.parameters.quick_nightly >>
     jobs:
       - pre_verify_release:
           matrix:
@@ -1110,7 +1149,10 @@ workflows:
 
   security-scans:
     when:
-      not: << pipeline.parameters.nightly >>
+      not:
+        or:
+          - << pipeline.parameters.nightly >>
+          - << pipeline.parameters.quick_nightly >>
     jobs:
       - secops/gitleaks:
           context:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,30 @@ All notable changes to Router will be documented in this file.
 
 This project adheres to [Semantic Versioning v2.0.0](https://semver.org/spec/v2.0.0.html).
 
+# [1.52.1] - 2024-08-27
+
+> [!IMPORTANT]
+> If you have enabled [Distributed query plan caching](https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching), this release changes the hashing algorithm used for the cache keys.  On account of this, you should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service.
+
+## 🔒 Security
+
+### CVE-2024-43783: Payload limits may exceed configured maximum
+
+Correct a denial-of-service vulnerability which, under certain non-default configurations below, made it possible to exceed the configured request payload maximums set with the [`limits.http_max_request_bytes`](https://www.apollographql.com/docs/router/configuration/overview/#http_max_request_bytes) option.
+
+This affects the following non-default Router configurations:
+
+1. Those configured to send request bodies to [External Coprocessors](https://www.apollographql.com/docs/router/customizations/coprocessor) where the `coprocessor.router.request.body` configuration option is set to `true`; or
+2. Those which declare custom native Rust plugins using the `plugins` configuration where those plugins access the request body in the `RouterService` layer.
+
+Rhai plugins are **not** impacted.  See the associated Github Advisory, [GHSA-x6xq-whh3-gg32](https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32), for more information.
+
+### CVE-2024-43414: Update query planner to resolve uncontrolled recursion
+
+Update the version of `@apollo/query-planner` used by Router to v2.8.5 which corrects an uncontrolled recursion weakness (classified as [CWE-674](https://cwe.mitre.org/data/definitions/674.html)) during query planning for complex queries on particularly complex graphs.
+
+This weakness impacts all versions of Router prior to this release.  See the associated Github Advisory, [GHSA-fmj9-77q8-g6c4](https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4), for more information.
+
 # [1.52.0] - 2024-07-30
 
 ## 🚀 Features

diff --git a/Cargo.lock b/Cargo.lock
@@ -424,7 +424,7 @@ dependencies = [
 
 [[package]]
 name = "apollo-federation"
-version = "1.52.0"
+version = "1.52.1"
 dependencies = [
  "apollo-compiler",
  "derive_more",
@@ -471,7 +471,7 @@ dependencies = [
 
 [[package]]
 name = "apollo-router"
-version = "1.52.0"
+version = "1.52.1"
 dependencies = [
  "access-json",
  "ahash",
@@ -578,6 +578,7 @@ dependencies = [
  "rhai",
  "rmp",
  "router-bridge",
+ "rowan",
  "rstack",
  "rust-embed",
  "rustls",
@@ -639,7 +640,7 @@ dependencies = [
 
 [[package]]
 name = "apollo-router-benchmarks"
-version = "1.52.0"
+version = "1.52.1"
 dependencies = [
  "apollo-parser",
  "apollo-router",
@@ -655,7 +656,7 @@ dependencies = [
 
 [[package]]
 name = "apollo-router-scaffold"
-version = "1.52.0"
+version = "1.52.1"
 dependencies = [
  "anyhow",
  "cargo-scaffold",
@@ -6095,9 +6096,9 @@ dependencies = [
 
 [[package]]
 name = "router-bridge"
-version = "0.5.27+v2.8.1"
+version = "0.5.31+v2.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "288fa40fc4e0a76fb911410e05d4525e8bf7558622bd02403f89f871c4d0785b"
+checksum = "672901b1ec6fd110ac41d61ca5e1754319d0edf39546a089a114ab865d42ae97"
 dependencies = [
  "anyhow",
  "async-channel 1.9.0",

diff --git a/apollo-federation/Cargo.toml b/apollo-federation/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "apollo-federation"
-version = "1.52.0"
+version = "1.52.1"
 authors = ["The Apollo GraphQL Contributors"]
 edition = "2021"
 description = "Apollo Federation"

diff --git a/apollo-router-benchmarks/Cargo.toml b/apollo-router-benchmarks/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "apollo-router-benchmarks"
-version = "1.52.0"
+version = "1.52.1"
 authors = ["Apollo Graph, Inc. <packages@apollographql.com>"]
 edition = "2021"
 license = "Elastic-2.0"

diff --git a/apollo-router-scaffold/Cargo.toml b/apollo-router-scaffold/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "apollo-router-scaffold"
-version = "1.52.0"
+version = "1.52.1"
 authors = ["Apollo Graph, Inc. <packages@apollographql.com>"]
 edition = "2021"
 license = "Elastic-2.0"

diff --git a/apollo-router-scaffold/templates/base/Cargo.template.toml b/apollo-router-scaffold/templates/base/Cargo.template.toml
@@ -22,7 +22,7 @@ apollo-router = { path ="{{integration_test}}apollo-router" }
 apollo-router = { git="https://github.com/apollographql/router.git", branch="{{branch}}" }
 {{else}}
 # Note if you update these dependencies then also update xtask/Cargo.toml
-apollo-router = "1.52.0"
+apollo-router = "1.52.1"
 {{/if}}
 {{/if}}
 async-trait = "0.1.52"

diff --git a/apollo-router-scaffold/templates/base/xtask/Cargo.template.toml b/apollo-router-scaffold/templates/base/xtask/Cargo.template.toml
@@ -13,7 +13,7 @@ apollo-router-scaffold = { path ="{{integration_test}}apollo-router-scaffold" }
 {{#if branch}}
 apollo-router-scaffold = { git="https://github.com/apollographql/router.git", branch="{{branch}}" }
 {{else}}
-apollo-router-scaffold = { git = "https://github.com/apollographql/router.git", tag = "v1.52.0" }
+apollo-router-scaffold = { git = "https://github.com/apollographql/router.git", tag = "v1.52.1" }
 {{/if}}
 {{/if}}
 anyhow = "1.0.58"

diff --git a/apollo-router/Cargo.toml b/apollo-router/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "apollo-router"
-version = "1.52.0"
+version = "1.52.1"
 authors = ["Apollo Graph, Inc. <packages@apollographql.com>"]
 repository = "https://github.com/apollographql/router/"
 documentation = "https://docs.rs/apollo-router"
@@ -68,7 +68,7 @@ askama = "0.12.1"
 access-json = "0.1.0"
 anyhow = "1.0.86"
 apollo-compiler.workspace = true
-apollo-federation = { path = "../apollo-federation", version = "=1.52.0" }
+apollo-federation = { path = "../apollo-federation", version = "=1.52.1" }
 arc-swap = "1.6.0"
 async-channel = "1.9.0"
 async-compression = { version = "0.4.6", features = [
@@ -161,6 +161,8 @@ opentelemetry-aws = "0.8.0"
 # opentelemetry-datadog = { version = "0.8.0", features = ["reqwest-client"] }
 rmp = "0.8"
 # END TEMP DATADOG
+# Pin rowan until update to rust 1.77
+rowan = "=0.15.15"
 opentelemetry-http = "0.9.0"
 opentelemetry-jaeger = { version = "0.19.0", features = [
     "collector_client",
@@ -195,7 +197,7 @@ regex = "1.10.5"
 reqwest.workspace = true
 
 # note: this dependency should _always_ be pinned, prefix the version with an `=`
-router-bridge = "=0.5.27+v2.8.1"
+router-bridge = "=0.5.31+v2.8.5"
 
 rust-embed = { version = "8.4.0", features = ["include-exclude"] }
 rustls = "0.21.12"