Page MenuHomeSoftware Heritage
Differential D8953

Make query introspection configurable in the settings
ClosedPublic
Actions

Authored by jayeshv on Dec 12 2022, 2:38 PM.

Details

Reviewers
vlorentz
Group Reviewers
Reviewers
Commits
rDGQLf1622d9c6812: Make query introspection configurable in the settings
Summary

It is advised to disable query introspection in a prod setup to
avoid attacks.
Make the option configurable from the yaml file.

Diff Detail

Repository
rDGQL GraphQL API
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

jayeshv created this revision.Dec 12 2022, 2:38 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptDec 12 2022, 2:38 PM
swh-public-ci added a comment.Dec 12 2022, 2:41 PM

Build is green

Patch application report for D8953 (id=32257)

Rebasing onto c28b65feaf...

Current branch diff-target is up to date.
Changes applied before test
commit f1622d9c681203ef1f61b83f25c4de8cc35711c5
Author: Jayesh Velayudhan <jayesh@softwareheritage.org>
Date:   Mon Dec 12 14:35:06 2022 +0100

    Make query introspection configurable in the settings
    
    It is advised to disable query introspection in a prod setup to
    avoid attacks.
    Make the option configurable from the yaml file.

See https://jenkins.softwareheritage.org/job/DGQL/job/tests-on-diff/249/ for more details.

Harbormaster completed remote builds in B33213: Diff 32257.Dec 12 2022, 2:41 PM
jayeshv requested review of this revision.Dec 12 2022, 2:41 PM
vlorentz added a subscriber: vlorentz.Dec 15 2022, 9:54 AM

to avoid attacks

What kind?

jayeshv added a comment.Dec 15 2022, 10:01 AM
In D8953#232844, @vlorentz wrote:

to avoid attacks

What kind?

This is not very relevant for us, still
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

with introspection enabled, it will be possible to write a script to create an endless query. This will not be an issue in
our case as we are anyway going to restrict queries by max cost.

Disabling introspection will remove the explorer as well, so switching it off is not really an option. I have added this config
to make it easier in case we really have to.

vlorentz added a comment.Dec 15 2022, 10:06 AM

Shouldn't it be enabled in prod too, then?

jayeshv added a comment.Dec 15 2022, 10:11 AM
In D8953#232851, @vlorentz wrote:

Shouldn't it be enabled in prod too, then?

Yes, I haven't added a prod config yet. This will be enabled in that as well.

vlorentz accepted this revision.Dec 15 2022, 10:11 AM
This revision is now accepted and ready to land.Dec 15 2022, 10:11 AM
Closed by commit rDGQLf1622d9c6812: Make query introspection configurable in the settings (authored by jayeshv). · Explain WhyDec 15 2022, 10:16 AM
This revision was automatically updated to reflect the committed changes.
jayeshv added a commit: rDGQLf1622d9c6812: Make query introspection configurable in the settings.

Revision Contents
Changeset List

PathSize
config/
2 lines
2 lines
swh/
graphql/
7 lines
tests/
unit/
6 lines

Diff 32272

View Options

config/dev.yml

Loading...
View Options

config/staging.yml

Loading...
View Options

swh/graphql/server.py

Loading...
View Options

swh/graphql/tests/unit/test_server.py

Loading...
About · Developer information · Legal