[Bug] Apollo server v2 restarts when receives invalid multipart-request operation

[ghost]

I was testing my api with postman and found that if incorrect multipart request operation is executed the server just restarts.

Here's the example of request that I send to the server.

operations:{"query":"query ($file:Upload){me(file: $file) { _id }}", "variables" : }
map:{"0": ["variables.file"] }

Notice that I'm passing file variable of type Upload to a me query (where it should not be), as a result I get an error SyntaxError: Unexpected token } in JSON... And the app exits with code 1
I don't think that it's a desirable behaviour in such situation

[jaydenseric]

This is because Apollo Server uses a fork of apollo-upload-server (recently renamed graphql-upload) at an outdated version; v5. This issue, and many others has been fixed in the following several major releases (currently v8): https://github.com/jaydenseric/graphql-upload/blob/master/changelog.md

[edevil]

As I said in #1703, shouldn't these security issues be reported so that people are aware when they install this package? If the apollo team intends to wait for the node 6 LTS period to end, apollo users are stuck with an insecure version of the upload server (unless the fixes are backported) for a long time to come.

[abernix]

This should be fixed by #2054. As I've requested in that PR, I'd really appreciate anyone who is utilizing file uploads to try upgrading to the alpha which updates graphql-upload to v8. I've detailed the progress on this matter extensively in #2054, but the high-bit is that this should be ready to tried now in [email protected]. Please any problems (or successes!) you encounter with the upgrade, as the feedback will guide its final release.

Ref: #2054 (comment)

[abernix]

The alpha releases didn't identify any problems so I've graduated this to the official apollo-server-*@2.3.0 releases.