Disable GraphQL Query Introspection (#1796)

GraphQL query introspection allows users to browse all graphql endpoints along with their descriptions. Since this is considered to be a security risk, here we are disabling that access.
meedan · Feb 9, 2024 · 75de8b1 · 75de8b1
1 parent 4a0f15e
commit 75de8b1
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/app/graph/relay_on_rails_schema.rb b/app/graph/relay_on_rails_schema.rb
@@ -13,6 +13,8 @@ class RelayOnRailsSchema < GraphQL::Schema
 
   lazy_resolve(Concurrent::Future, :value)
 
+  disable_introspection_entry_points
+
   class << self
     def resolve_type(_type, object, _ctx)
       klass = (object.respond_to?(:type) && object.type) ? object.type : object.class_name

diff --git a/test/controllers/graphql_controller_12_test.rb b/test/controllers/graphql_controller_12_test.rb
@@ -289,4 +289,23 @@ def teardown
     data = JSON.parse(@response.body)['data']['updateUser']['me']
     assert_equal user.id, data['dbid']
   end
+
+  test "should ensure graphql introspection is disabled" do
+    user = create_user
+    authenticate_with_user(user)
+    INTROSPECTION_QUERY = <<-GRAPHQL
+      {
+        __schema {
+          queryType {
+            name
+          }
+        }
+      }
+    GRAPHQL
+
+    post :create, params: { query: INTROSPECTION_QUERY }
+    assert_response :success
+    response_body = JSON.parse(response.body)
+    assert_equal response_body['errors'][0]['message'], "Field '__schema' doesn't exist on type 'Query'"
+  end
 end