From ebfde0007c647d9fb73e3aa24b968def3e307084 Mon Sep 17 00:00:00 2001
From: Trevor Scheer <trevor.scheer@gmail.com>
Date: Fri, 4 Aug 2023 10:26:51 -0700
Subject: [PATCH] Add missing `nonce` to `script` tag (#7672)

Follow-up to
https://github.com/apollographql/apollo-server/security/advisories/GHSA-68jh-rf6x-836f
---
 .changeset/rude-monkeys-pay.md                  |  5 +++++
 .../__tests__/plugin/landingPage/plugin.test.ts | 17 ++++++++++++++++-
 .../src/plugin/landingPage/default/index.ts     |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/rude-monkeys-pay.md

diff --git a/.changeset/rude-monkeys-pay.md b/.changeset/rude-monkeys-pay.md
new file mode 100644
index 00000000000..a9e0c7473f0
--- /dev/null
+++ b/.changeset/rude-monkeys-pay.md
@@ -0,0 +1,5 @@
+---
+'@apollo/server': patch
+---
+
+Add missing `nonce` on `script` tag for non-embedded landing page
diff --git a/packages/server/src/__tests__/plugin/landingPage/plugin.test.ts b/packages/server/src/__tests__/plugin/landingPage/plugin.test.ts
index f38fa91ea01..5ce3e434d57 100644
--- a/packages/server/src/__tests__/plugin/landingPage/plugin.test.ts
+++ b/packages/server/src/__tests__/plugin/landingPage/plugin.test.ts
@@ -1,5 +1,8 @@
 import { ApolloServer, HeaderMap } from '@apollo/server';
-import { ApolloServerPluginLandingPageLocalDefault } from '@apollo/server/plugin/landingPage/default';
+import {
+  ApolloServerPluginLandingPageLocalDefault,
+  ApolloServerPluginLandingPageProductionDefault,
+} from '@apollo/server/plugin/landingPage/default';
 import { describe, expect, test } from '@jest/globals';
 import assert from 'assert';
 import { mockLogger } from '../../mockLogger';
@@ -61,4 +64,16 @@ describe('ApolloServerPluginLandingPageDefault', () => {
     );
     await server.stop();
   });
+
+  test(`nonce exists in non-embedded landing page`, async () => {
+    const plugin = ApolloServerPluginLandingPageProductionDefault({
+      embed: false,
+    });
+
+    // @ts-ignore not passing things to `serverWillStart`
+    const { renderLandingPage } = await plugin.serverWillStart?.({});
+    const landingPageHtml = await (await renderLandingPage?.()).html();
+
+    expect(landingPageHtml).toMatch(/<script nonce=".*">window\.landingPage/);
+  });
 });
diff --git a/packages/server/src/plugin/landingPage/default/index.ts b/packages/server/src/plugin/landingPage/default/index.ts
index 2085b7949bd..9a708450e80 100644
--- a/packages/server/src/plugin/landingPage/default/index.ts
+++ b/packages/server/src/plugin/landingPage/default/index.ts
@@ -72,7 +72,7 @@ const getNonEmbeddedLandingPageHTML = (
   <h1>Welcome to Apollo Server</h1>
   <p>The full landing page cannot be loaded; it appears that you might be offline.</p>
 </div>
-<script>window.landingPage = ${encodedConfig};</script>
+<script nonce="${nonce}">window.landingPage = ${encodedConfig};</script>
 <script nonce="${nonce}" src="https://apollo-server-landing-page.cdn.apollographql.com/${encodeURIComponent(
     cdnVersion,
   )}/static/js/main.js?runtime=${apolloServerVersion}"></script>`;