It is advised to disable query introspection in a prod setup to
avoid attacks.
Make the option configurable from the yaml file.
Details
Details
- Reviewers
vlorentz - Group Reviewers
Reviewers - Commits
- rDGQLf1622d9c6812: Make query introspection configurable in the settings
Diff Detail
Diff Detail
- Repository
- rDGQL GraphQL API
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.
Event Timeline
Comment Actions
Build is green
Patch application report for D8953 (id=32257)
Rebasing onto c28b65feaf...
Current branch diff-target is up to date.
Changes applied before test
commit f1622d9c681203ef1f61b83f25c4de8cc35711c5 Author: Jayesh Velayudhan <jayesh@softwareheritage.org> Date: Mon Dec 12 14:35:06 2022 +0100 Make query introspection configurable in the settings It is advised to disable query introspection in a prod setup to avoid attacks. Make the option configurable from the yaml file.
See https://jenkins.softwareheritage.org/job/DGQL/job/tests-on-diff/249/ for more details.
Comment Actions
This is not very relevant for us, still
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/
with introspection enabled, it will be possible to write a script to create an endless query. This will not be an issue in
our case as we are anyway going to restrict queries by max cost.
Disabling introspection will remove the explorer as well, so switching it off is not really an option. I have added this config
to make it easier in case we really have to.