-
Notifications
You must be signed in to change notification settings - Fork 964
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GraphQL deployed to production reveals hints to other types when one not found #4275
Comments
/cc @dthyresson |
Looking at the useMaskedError envelop plugin, my hypothesis is that error masking only happens in the |
I should clarify: Masking looks to be done at the execute and subscribe phases. |
This is an unsolved issue within graphql-js as this is raised by a validation rule during validate. See graphql/graphql-js#2247 In general, I think disabling introspection gives a false sense of security. Theoretically, we could create an envelop plugin for masking the "did you mean x" suggestions by replacing the existing validation rules. If you really want to achieve full protection of arbitrary GraphQL operations persisted queries/operations should be considered, as disabling introspection/"did you mean x" is just a light layer of security that is still pretty vulnerable to brute force. |
Thanks @n1ru4l -- I think this is the concern @cannikin has -- which seems valid -- that some schema info is being leaked here with the I wonder if a "workaround" would be in the But if useMaskedError was also used
Edit: Now that I think on it, it might not be possible. But ..
"by replacing the existing validation rules" What might that look like, happy to take on a PR :) |
Huh, just learning about persisted queries right now, that could be interesting. The Cell contains the full query, but at build time we could SHA hash the query and then replace the cell query with that hash string instead. Makes it much more difficult for someone to browse through the client code and find types/fields to mix and match and probe endpoints... Having your API be effectively single, pre-defined endpoints that always return the same data sounds familiar...😉 |
@dthyresson You should be able to find all the affected validation rules by searching for Seems like that are quite a few, so a lot of logic to copy/paste and maintain. A drawback would be high maintenance effort. 🤔 Also, the messages don't follow a specific pattern, so detecting the exact errors that leak schema information also requires maintaining a list of strings that needs to be double-checked and adjusted for each graphql-js release (in the worst case). Unfortunately, there is no nice and straightforward solution for handling this. Maybe adding a configuration option that is set on the Alternatively all errors that arise during @cannikin Usually you would only enable persisted operations for production environments 😉 . I agree with you that this also implies new problems that need to be solved. I actually never used them in production myself. At the same time I also never perceived exposing the introspection/"did you mean x" as a security issue in my projects. |
@n1ru4l has a PR graphql/graphql-js#3467 that adds an option to include the "didYouMean" info to the validation messages. If added to graphql-js then we can set that as a sensible default. Until then, there isn't a great way for v1 to address this issues. @jtoar let's make this v2 and we'll watch that PR. |
In addition to this, would it be possible to exclude any helpful text from GraphQL about malformed queries? It's invaluable when in development mode, but in production, a malicious actor can use those hints to completely generate a valid request from scratch with zero other knowledge—GraphQL is constantly telling you what arguments are required, what their data type is, what field names are missing, etc. Here's a couple:
You almost don't need introspection when the error messages basically do it for you. :( In a RESTful land I'd return a 400 Bad Request for anything like this... I can see enabling this if you have other clients than your own, and they need help consuming the API, but if it's just you using it then seems like you should expose as little information about how it works to prying eyes as possible. Or am I being paranoid? |
If RedwoodJS updates to use GraphQL Armor, there is a plugin that "blocks field suggestions": |
Given the following SDL:
If you make a mutation request for a type that does not exist (there is no
createAccount
type):The response contains suggestions for other endpoints which do exist:
This response is great in development. But, since we disable introspection in production to be default-secure, this feels like a security risk as it gives away other endpoints to start probing.
The text was updated successfully, but these errors were encountered: