Page MenuHomeSoftware Heritage

Make query introspection configurable in the settings
ClosedPublic

Authored by jayeshv on Dec 12 2022, 2:38 PM.

Details

Summary

It is advised to disable query introspection in a prod setup to
avoid attacks.
Make the option configurable from the yaml file.

Diff Detail

Repository
rDGQL GraphQL API
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Build is green

Patch application report for D8953 (id=32257)

Rebasing onto c28b65feaf...

Current branch diff-target is up to date.
Changes applied before test
commit f1622d9c681203ef1f61b83f25c4de8cc35711c5
Author: Jayesh Velayudhan <jayesh@softwareheritage.org>
Date:   Mon Dec 12 14:35:06 2022 +0100

    Make query introspection configurable in the settings
    
    It is advised to disable query introspection in a prod setup to
    avoid attacks.
    Make the option configurable from the yaml file.

See https://jenkins.softwareheritage.org/job/DGQL/job/tests-on-diff/249/ for more details.

to avoid attacks

What kind?

This is not very relevant for us, still
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

with introspection enabled, it will be possible to write a script to create an endless query. This will not be an issue in
our case as we are anyway going to restrict queries by max cost.

Disabling introspection will remove the explorer as well, so switching it off is not really an option. I have added this config
to make it easier in case we really have to.

Shouldn't it be enabled in prod too, then?

Shouldn't it be enabled in prod too, then?

Yes, I haven't added a prod config yet. This will be enabled in that as well.

This revision is now accepted and ready to land.Dec 15 2022, 10:11 AM