-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY PROBLEM] Implement a configuration option to disable the suggestion feature when a GraphQL query fails #319
[SECURITY PROBLEM] Implement a configuration option to disable the suggestion feature when a GraphQL query fails #319
Conversation
The golangci-lint CI is currently failing, but since the same issue is occurring on the master branch, I will not be addressing this in my branch. |
Hi @tomoikey we have run into similar problem by using this library (that suggesting types in the error message is a security risk for a public GraphQL server). So we are also interested in this change. But I am afraid your change may break a lot of existing code, because of adding additional parameter to the exported functions (which are used by other packages). Have you maybe considered ways for keeping an old API intact, i.e. that gqlparser.MustLoadQuery(schema, query) etc would still work? Another idea would be just to drop suggested types from the error message |
@kgrigorev func LoadQuery(schema *ast.Schema, str string, options ...validator.ValidateOptionFactor) (*ast.QueryDocument, gqlerror.List)
func MustLoadQuery(schema *ast.Schema, str string, options ...validator.ValidateOptionFactor) *ast.QueryDocument
func Validate(schema *Schema, doc *QueryDocument, options ...ValidateOptionFactor) gqlerror.List Accordingly, we can disable the suggestion as shown below. gqlparser.LoadQuery(schema, str)
gqlparser.LoadQuery(schema, str, validator.DisableSuggestion{}) // if we want to disable suggestions
gqlparser.MustLoadQuery(schema, str)
gqlparser.MustLoadQuery(schema, str, validator.DisableSuggestion{}) // if we want to disable suggestions
validator.Validate(schema, doc)
validator.Validate(schema, doc, validator.DisableSuggestion{}) // if we want to disable suggestions |
validator/imported_test.go
Outdated
@@ -2,6 +2,7 @@ package validator_test | |||
|
|||
import ( | |||
"fmt" | |||
"github.com/vektah/gqlparser/v2/validator" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind putting this import down with the non-standard library imports?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@StevenACoffman
Thanks! I fixed it like
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/vektah/gqlparser/v2"
"github.com/vektah/gqlparser/v2/ast"
"github.com/vektah/gqlparser/v2/parser"
"github.com/vektah/gqlparser/v2/validator"
"github.com/vektah/gqlparser/v2/validator/rules"
)
validator/validator.go
Outdated
@@ -8,7 +8,7 @@ import ( | |||
|
|||
type AddErrFunc func(options ...ErrorOption) | |||
|
|||
type ruleFunc func(observers *Events, addError AddErrFunc) | |||
type ruleFunc func(observers *Events, validateOption ValidateOption, addError AddErrFunc) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type ruleFunc func(observers *Events, validateOption ValidateOption, addError AddErrFunc) | |
type ruleFunc func(observers *Events, addError AddErrFunc, options ...ValidateOption) |
Currently people are using the AddRule which takes a function as an argument that uses this ruleFunc
signature, so your change here would break backwards compatibility unless you made it variadic.
Hey, thanks for working on this. Some recent changes ( #320 ) allow people to reset the rules, so that might be an alternative method that would avoid breaking backwards compatibility. |
f4ff5c8
to
c1fe490
Compare
@StevenACoffman |
Thanks! Yeah, that's a better way since it avoids breaking backward compatibility. |
Purpose
gqlparser
is highly convenient because it offers suggestions when we mistakenly input field names or type names. However, when deploying a GraphQL server that usesgqlparser
, leaving the suggestion feature enabled may pose a risk of disclosing information to attackers. Therefore, it is important to provide developers implementing GraphQL servers with the option to enable or disable the suggestion feature.For your reference, Rust-based GraphQL library also offer the capability to disable suggestions.
https://github.com/async-graphql/async-graphql/blob/3046ae7f06ac08a9b912d8655d17f5c7f8c663c0/src/schema.rs#L217-L221
I would be delighted if you are pleased with this change. Thank you.
I have:
- [ ] Updated any relevant documentationAdditionally, it was mentioned that updating the relevant documentation is mandatory, but I was unsure about the specific sections that need to be revised. If you find this PR satisfactory, I would greatly appreciate it if you could advise me on which documents to update and how to modify them.