org.sonar.l10n.py.rules.python.S6786.html Maven / Gradle / Ivy
This vulnerability exposes information about all the APIs available on a GraphQL API server. This information can be used to discover weaknesses in
the API that can be exploited.
Why is this an issue?
GraphQL introspection is a feature that allows client applications to query the schema of a GraphQL API at runtime. It provides a way for
developers to explore and understand the available data and operations supported by the API.
This feature is a diagnostic tool that should only be used in the development phase as its presence also creates risks.
Clear documentation and API references should be considered better discoverability tools for a public GraphQL API.
What is the potential impact?
An attacker can use introspection to identify all of the operations and data types supported by the server. This information can then be used to
identify potential targets for attacks.
Exploitation of private APIs
Even when a GraphQL API server is open to access by third-party applications, it may contain APIs that are intended only for private use.
Introspection allows these private APIs to be discovered.
Private APIs often do not receive the same level of security rigor as public APIs. For example, they may skip input validation because the API is
only expected to be called from trusted applications. This can create avenues for attack that are not present on public APIs.
Exposure of sensitive data
GraphQL allows for multiple related objects to be retrieved using a single API call. This provides an efficient method of obtaining data for use in
a client application.
An attacker may be able to use these relationships between objects to traverse the data structure. They may be able to find a link to sensitive
data that the developer did not intentionally make available.
How to fix it
Code examples
Noncompliant code example
from graphql_server.flask import GraphQLView
app.add_url_rule("/api",
view_func=GraphQLView.as_view( # Noncompliant
name="api",
schema=schema,
)
)
Compliant solution
Make sure that introspection is disabled in production environments. You can use the following code sample as a reference, in conjunction with your
own methods for distinguishing between production and non-production environments.
from graphql_server.flask import GraphQLView
# Only one of the following needs to be used
from graphql.validation import NoSchemaIntrospectionCustomRule # graphql-core v3
from graphene.validation import DisableIntrospection # graphene v3
app.add_url_rule("/api",
view_func=GraphQLView.as_view(
name="api",
schema=schema,
validation_rules=[
NoSchemaIntrospectionCustomRule,
DisableIntrospection,
]
)
)
How does this work?
Disabling introspection
The GraphQL server framework should be instructed to disable introspection in production environments. This prevents any attacker attempt to
retrieve schema information from the server at runtime.
Each GraphQL framework will have a different method of doing this, possibly including:
- Changing a simple boolean setting.
- Adding a middleware module to the request processing chain.
- Adding a GraphQL validator that rejects introspection keywords.
If introspection is required, it should only be made available to the smallest possible audience. This could include development environments,
users with a specific right, or requests from a specific set of IP addresses.
Resources
Articles & blog posts
- OWASP Web Security Testing Guide - Testing GraphQL
Standards