Skip to content

Commit

Permalink
Security/CWE 200 graphql introspection toggle (#10531)
Browse files Browse the repository at this point in the history
Co-authored-by: Erik Kvale <ekvale@vivsoft.io>
  • Loading branch information
erikkvale and Erik Kvale authored May 17, 2024
1 parent ebdcc25 commit f5a252c
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -497,6 +497,7 @@ public class GmsGraphQLEngine {

private final int graphQLQueryComplexityLimit;
private final int graphQLQueryDepthLimit;
private final boolean graphQLQueryIntrospectionEnabled;

private final BusinessAttributeType businessAttributeType;

Expand Down Expand Up @@ -612,6 +613,7 @@ public GmsGraphQLEngine(final GmsGraphQLEngineArgs args) {

this.graphQLQueryComplexityLimit = args.graphQLQueryComplexityLimit;
this.graphQLQueryDepthLimit = args.graphQLQueryDepthLimit;
this.graphQLQueryIntrospectionEnabled = args.graphQLQueryIntrospectionEnabled;

this.businessAttributeType = new BusinessAttributeType(entityClient);
// Init Lists
Expand Down Expand Up @@ -819,7 +821,8 @@ public GraphQLEngine.Builder builder() {
.addDataLoader("Aspect", context -> createDataLoader(aspectType, context))
.configureRuntimeWiring(this::configureRuntimeWiring)
.setGraphQLQueryComplexityLimit(graphQLQueryComplexityLimit)
.setGraphQLQueryDepthLimit(graphQLQueryDepthLimit);
.setGraphQLQueryDepthLimit(graphQLQueryDepthLimit)
.setGraphQLQueryIntrospectionEnabled(graphQLQueryIntrospectionEnabled);
return builder;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ public class GmsGraphQLEngineArgs {
RestrictedService restrictedService;
int graphQLQueryComplexityLimit;
int graphQLQueryDepthLimit;
boolean graphQLQueryIntrospectionEnabled;
BusinessAttributeService businessAttributeService;

// any fork specific args should go below this line
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import graphql.schema.idl.SchemaGenerator;
import graphql.schema.idl.SchemaParser;
import graphql.schema.idl.TypeDefinitionRegistry;
import graphql.schema.visibility.NoIntrospectionGraphqlFieldVisibility;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
Expand Down Expand Up @@ -44,15 +45,18 @@ public class GraphQLEngine {
private final Map<String, Function<QueryContext, DataLoader<?, ?>>> _dataLoaderSuppliers;
private final int graphQLQueryComplexityLimit;
private final int graphQLQueryDepthLimit;
private final boolean graphQLQueryIntrospectionEnabled;

private GraphQLEngine(
@Nonnull final List<String> schemas,
@Nonnull final RuntimeWiring runtimeWiring,
@Nonnull final Map<String, Function<QueryContext, DataLoader<?, ?>>> dataLoaderSuppliers,
@Nonnull final int graphQLQueryComplexityLimit,
@Nonnull final int graphQLQueryDepthLimit) {
@Nonnull final int graphQLQueryDepthLimit,
@Nonnull final boolean graphQLQueryIntrospectionEnabled) {
this.graphQLQueryComplexityLimit = graphQLQueryComplexityLimit;
this.graphQLQueryDepthLimit = graphQLQueryDepthLimit;
this.graphQLQueryIntrospectionEnabled = graphQLQueryIntrospectionEnabled;

_dataLoaderSuppliers = dataLoaderSuppliers;

Expand Down Expand Up @@ -130,6 +134,7 @@ public static class Builder {
private final RuntimeWiring.Builder _runtimeWiringBuilder = newRuntimeWiring();
private int graphQLQueryComplexityLimit = 2000;
private int graphQLQueryDepthLimit = 50;
private boolean graphQLQueryIntrospectionEnabled = true;

/**
* Used to add a schema file containing the GQL types resolved by the engine.
Expand Down Expand Up @@ -177,6 +182,9 @@ public Builder addDataLoaders(
* any required data + type resolvers.
*/
public Builder configureRuntimeWiring(final Consumer<RuntimeWiring.Builder> builderFunc) {
if (!this.graphQLQueryIntrospectionEnabled)
_runtimeWiringBuilder.fieldVisibility(
NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY);
builderFunc.accept(_runtimeWiringBuilder);
return this;
}
Expand All @@ -191,14 +199,20 @@ public Builder setGraphQLQueryDepthLimit(final int queryDepthLimit) {
return this;
}

public Builder setGraphQLQueryIntrospectionEnabled(final boolean introspectionEnabled) {
this.graphQLQueryIntrospectionEnabled = introspectionEnabled;
return this;
}

/** Builds a {@link GraphQLEngine}. */
public GraphQLEngine build() {
return new GraphQLEngine(
_schemas,
_runtimeWiringBuilder.build(),
_loaderSuppliers,
graphQLQueryComplexityLimit,
graphQLQueryDepthLimit);
graphQLQueryDepthLimit,
graphQLQueryIntrospectionEnabled);
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,7 @@ graphQL:
query:
complexityLimit: ${GRAPHQL_QUERY_COMPLEXITY_LIMIT:2000}
depthLimit: ${GRAPHQL_QUERY_DEPTH_LIMIT:50}
introspectionEnabled: ${GRAPHQL_QUERY_INTROSPECTION_ENABLED:true}

springdoc.api-docs.groups.enabled: true

Expand Down

0 comments on commit f5a252c

Please sign in to comment.