Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Disable GraphQL introspection in prod #953

Merged
merged 2 commits into from
Nov 4, 2024
Merged

fix: Disable GraphQL introspection in prod #953

merged 2 commits into from
Nov 4, 2024

Conversation

suejung-sentry
Copy link
Contributor

@suejung-sentry suejung-sentry commented Nov 1, 2024
edited
Loading

Disable GraphQL introspection in production environments to resolve pentest finding.
Tested by confirming in local that the introspection query succeeds/fails by changing the var in settings_{env}.py

Closes https://github.com/codecov/internal-issues/issues/917

Example introspection query:
Screenshot 2024-11-01 at 12 08 14 PM

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      name
      kind
      description
      fields(includeDeprecated: true) {
        name
        description
        args {
          name
          description
          type {
            name
            kind
            ofType {
              name
              kind
            }
          }
          defaultValue
        }
        type {
          name
          kind
          ofType {
            name
            kind
          }
        }
        isDeprecated
        deprecationReason
      }
      inputFields {
        name
        description
        type {
          name
          kind
          ofType {
            name
            kind
          }
        }
        defaultValue
      }
      interfaces {
        name
        kind
      }
      enumValues(includeDeprecated: true) {
        name
        description
        isDeprecated
        deprecationReason
      }
      possibleTypes {
        name
        kind
      }
    }
    directives {
      name
      description
      locations
      args {
        name
        description
        type {
          name
          kind
          ofType {
            name
            kind
          }
        }
        defaultValue
      }
    }
  }
}

example error:

{
  "error": {
    "errors": [
      {
        "message": "Cannot query '__schema': introspection is disabled.",
        "locations": [
          {
            "line": 2,
            "column": 3
          }
        ],
        "extensions": {
          "exception": null
        }
      }
    ]
  }
}

example testing in postman in prod before deploying this update

{
    "query": "query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { name kind description fields(includeDeprecated: true) { name description args { name description type { name kind ofType { name kind } } defaultValue } type { name kind ofType { name kind } } isDeprecated deprecationReason } inputFields { name description type { name kind ofType { name kind } } defaultValue } interfaces { name kind } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { name kind } } directives { name description locations args { name description type { name kind ofType { name kind } } defaultValue } } } }",
    "variables": {}
}
Screenshot 2024-11-04 at 9 19 10 AM

@codecov-notifications
Copy link

codecov-notifications bot commented Nov 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
codecov/settings_staging.py 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@codecov Codecov
Copy link

codecov bot commented Nov 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 96.24%. Comparing base (564cad4) to head (55229a8).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
codecov/settings_staging.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #953      +/-   ##
==========================================
- Coverage   96.24%   96.24%   -0.01%     
==========================================
  Files         826      826              
  Lines       19016    19021       +5     
==========================================
+ Hits        18302    18306       +4     
- Misses        714      715       +1
Flag Coverage Δ
unit 92.49% <80.00%> (-0.01%) ⬇️
unit-latest-uploader 92.49% <80.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@suejung-sentry suejung-sentry marked this pull request as ready for review November 1, 2024 19:10
@suejung-sentry suejung-sentry requested a review from a team as a code owner November 1, 2024 19:10
@suejung-sentry suejung-sentry added this pull request to the merge queue Nov 4, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 4, 2024
@suejung-sentry suejung-sentry added this pull request to the merge queue Nov 4, 2024
Merged via the queue into main with commit 168d5f2 Nov 4, 2024
16 of 19 checks passed
@suejung-sentry suejung-sentry deleted the sshin/fix/introspection branch November 4, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajay-sentry ajay-sentry ajay-sentry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@suejung-sentry @ajay-sentry