Modify S6786(python): Improve description (#3792)

2024-03-21 14:43:07 +01:00 · 2024-03-21 14:43:07 +01:00 · 6197098897
commit 6197098897
parent e7bcbd7691
2 changed files with 19 additions and 8 deletions
--- a/rules/S6786/python/metadata.json
+++ b/rules/S6786/python/metadata.json
@ -1,5 +1,5 @@
 {
-  "title": "GraphQL introspection should not be allowed",
+  "title": "GraphQL introspection should be disabled in production",
  "type": "VULNERABILITY",
  "status": "ready",
  "remediation": {
--- a/rules/S6786/python/rule.adoc
+++ b/rules/S6786/python/rule.adoc
@ -9,7 +9,11 @@ GraphQL introspection is a feature that allows client applications to query the
 schema of a GraphQL API at runtime. It provides a way for developers to explore
 and understand the available data and operations supported by the API.

-While this feature is useful, it also creates risks if not properly secured.
+This feature is a diagnostic tool that should only be used in the development
+phase as its presence also creates risks.
+
+Clear documentation and API references should be considered better
+discoverability tools for a public GraphQL API.

 === What is the potential impact?

@ -59,12 +63,18 @@ app.add_url_rule("/api",

 ==== Compliant solution

+Make sure that introspection is disabled in production environments. You can use
+the following code sample as a reference, in conjunction with your own methods
+for distinguishing between production and non-production environments.
+
 [source,python,diff-id=1,diff-type=compliant]
 ----
 from graphql_server.flask import GraphQLView
+
 # Only one of the following needs to be used
-from graphql.validation import NoSchemaIntrospectionCustomRule  # graphql-core v3
-from graphene.validation import DisableIntrospection  # graphene v3
+from graphql.validation import NoSchemaIntrospectionCustomRule # graphql-core v3
+from graphene.validation import DisableIntrospection           # graphene v3
+

 app.add_url_rule("/api",
    view_func=GraphQLView.as_view(
@ -82,8 +92,9 @@ app.add_url_rule("/api",

 ==== Disabling introspection

-The GraphQL server framework should be instructed to disable introspection. This
-prevents any attempt to retrieve schema information from the server at runtime.
+The GraphQL server framework should be instructed to disable introspection in
+production environments. This prevents any attacker attempt to retrieve schema
+information from the server at runtime.

 Each GraphQL framework will have a different method of doing this, possibly
 including:
@ -118,7 +129,7 @@ ifdef::env-github,rspecator-view[]

 === Message

-Disable introspection on this GraphQL server endpoint.
+Disable GraphQL introspection on production environments.

 === Highlighting