Summary

A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.

Details

Apollo Federation allows users to specify @authenticated, @requiresScopes, and @policy directives to protect fields at the field level. The @requires directive allows a field to depend on data from other fields in the schema, and @fromContext allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using @requires or @fromContext have the same access control as the fields they depend on. At execution time, when a field decorated with @requires or @fromContext was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy @requires or @fromContext but not directly requested) their access control requirements were silently ignored. This discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.

Who is impacted

This vulnerability impacts Apollo Federation customers with supergraphs defining @authenticated, @requiresScopes, or @policy directives on fields that are also specified as dependencies in @requires or @fromContext directives.

Scope of Impact

The vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via @requires or @fromContext) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements.

Patches

This vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on @requires and @fromContext dependency fields match the resolving field's requirements. Note that this is a breaking change to Apollo Federation, as it no longer allows fields using @requires or @fromContext to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using @requires or @fromContext match the access control directives on the referenced fields. If you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above. If you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:

• 2.9.5+
• 2.10.4+
• 2.11.5+
• 2.12.1+ You will then need to adjust the access control requirements in your subgraph schemas as mentioned above.

Workarounds

• If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via @requires or @fromContext and explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly.
• Customers not using Apollo Router access control features (@authenticated, @requiresScopes, or @policy directives) or not using @requires or @fromContext directives in combination with field-level access control are not affected and do not need to take action.