It is advised to disable query introspection in a prod setup to
avoid attacks.
Make the option configurable from the yaml file.
Details
Details
- Reviewers
vlorentz - Group Reviewers
Reviewers - Commits
- rDGQLf1622d9c6812: Make query introspection configurable in the settings
Diff Detail
Diff Detail
- Repository
- rDGQL GraphQL API
- Branch
- introspection-setting
- Lint
No Linters Available - Unit
No Unit Test Coverage - Build Status
Buildable 33213 Build 52074: Phabricator diff pipeline on jenkins Jenkins console · Jenkins Build 52073: arc lint + arc unit
Event Timeline
Comment Actions
Build is green
Patch application report for D8953 (id=32257)
Rebasing onto c28b65feaf...
Current branch diff-target is up to date.
Changes applied before test
commit f1622d9c681203ef1f61b83f25c4de8cc35711c5
Author: Jayesh Velayudhan <jayesh@softwareheritage.org>
Date: Mon Dec 12 14:35:06 2022 +0100
Make query introspection configurable in the settings
It is advised to disable query introspection in a prod setup to
avoid attacks.
Make the option configurable from the yaml file.See https://jenkins.softwareheritage.org/job/DGQL/job/tests-on-diff/249/ for more details.
Comment Actions
This is not very relevant for us, still
https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/
with introspection enabled, it will be possible to write a script to create an endless query. This will not be an issue in
our case as we are anyway going to restrict queries by max cost.
Disabling introspection will remove the explorer as well, so switching it off is not really an option. I have added this config
to make it easier in case we really have to.