Skip to content

Commit

Permalink
[backend] Improve control of graphql schema introspection
Browse files Browse the repository at this point in the history
  • Loading branch information
@richard-julien
richard-julien committed Jun 6, 2024
1 parent 803c52c commit f87d969
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions opencti-platform/opencti-graphql/src/graphql/graphql.js
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { ApolloServer, UserInputError } from 'apollo-server-express';
import { ApolloServerPluginLandingPageGraphQLPlayground, ApolloServerPluginLandingPageDisabled } from 'apollo-server-core';
import { ApolloServerPluginLandingPageDisabled, ApolloServerPluginLandingPageGraphQLPlayground } from 'apollo-server-core';
import { formatError as apolloFormatError } from 'apollo-errors';
import { ApolloArmor } from '@escape.tech/graphql-armor';
import { dissocPath } from 'ramda';
Expand All @@ -8,7 +8,7 @@ import ConstraintDirectiveError from 'graphql-constraint-directive/lib/error';
import { constraintDirectiveDocumentation, createApolloQueryValidationPlugin } from 'graphql-constraint-directive';
import { GraphQLError } from 'graphql/error';
import createSchema from './schema';
import conf, { basePath, DEV_MODE, PLAYGROUND_INTROSPECTION_DISABLED, ENABLED_TRACING, PLAYGROUND_ENABLED, GRAPHQL_ARMOR_ENABLED, logApp } from '../config/conf';
import conf, { basePath, DEV_MODE, ENABLED_TRACING, GRAPHQL_ARMOR_ENABLED, logApp, PLAYGROUND_ENABLED, PLAYGROUND_INTROSPECTION_DISABLED } from '../config/conf';
import { authenticateUserFromRequest, userWithOrigin } from '../domain/user';
import { ForbiddenAccess, ValidationError } from '../config/errors';
import loggerPlugin from './loggerPlugin';
Expand Down Expand Up @@ -80,11 +80,10 @@ const createApolloServer = () => {
const playgroundPlugin = ApolloServerPluginLandingPageGraphQLPlayground(playgroundOptions);
apolloPlugins.push(PLAYGROUND_ENABLED ? playgroundPlugin : ApolloServerPluginLandingPageDisabled());
// Schema introspection must be accessible only for auth users.
const introspectionPatterns = ['__schema {', '__schema(', '__type {', '__type('];
const secureIntrospectionPlugin = {
requestDidStart: ({ request, context }) => {
// Is schema introspection request
if (introspectionPatterns.some((pattern) => request.query.includes(pattern))) {
// Is schema have introspection request
if (['__schema', '__type'].some((pattern) => request.query.includes(pattern))) {
// If introspection explicitly disabled or user is not authenticated
if (!PLAYGROUND_ENABLED || PLAYGROUND_INTROSPECTION_DISABLED || !context.user) {
throw ForbiddenAccess('GraphQL introspection not authorized!');
Expand Down

0 comments on commit f87d969

Please sign in to comment.