Modify S6786(python): Improve description (#3792)
This commit is contained in:
Loris S
GitHub
parent
e7bcbd7691
commit
6197098897
@ -1,5 +1,5 @@
|
||||
{
|
||||
"title": "GraphQL introspection should not be allowed",
|
||||
"title": "GraphQL introspection should be disabled in production",
|
||||
"type": "VULNERABILITY",
|
||||
"status": "ready",
|
||||
"remediation": {
|
||||
|
||||
@ -9,7 +9,11 @@ GraphQL introspection is a feature that allows client applications to query the
|
||||
schema of a GraphQL API at runtime. It provides a way for developers to explore
|
||||
and understand the available data and operations supported by the API.
|
||||
|
||||
While this feature is useful, it also creates risks if not properly secured.
|
||||
This feature is a diagnostic tool that should only be used in the development
|
||||
phase as its presence also creates risks.
|
||||
|
||||
Clear documentation and API references should be considered better
|
||||
discoverability tools for a public GraphQL API.
|
||||
|
||||
=== What is the potential impact?
|
||||
|
||||
@ -59,12 +63,18 @@ app.add_url_rule("/api",
|
||||
|
||||
==== Compliant solution
|
||||
|
||||
Make sure that introspection is disabled in production environments. You can use
|
||||
the following code sample as a reference, in conjunction with your own methods
|
||||
for distinguishing between production and non-production environments.
|
||||
|
||||
[source,python,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
from graphql_server.flask import GraphQLView
|
||||
|
||||
# Only one of the following needs to be used
|
||||
from graphql.validation import NoSchemaIntrospectionCustomRule # graphql-core v3
|
||||
from graphene.validation import DisableIntrospection # graphene v3
|
||||
from graphql.validation import NoSchemaIntrospectionCustomRule # graphql-core v3
|
||||
from graphene.validation import DisableIntrospection # graphene v3
|
||||
|
||||
|
||||
app.add_url_rule("/api",
|
||||
view_func=GraphQLView.as_view(
|
||||
@ -82,8 +92,9 @@ app.add_url_rule("/api",
|
||||
|
||||
==== Disabling introspection
|
||||
|
||||
The GraphQL server framework should be instructed to disable introspection. This
|
||||
prevents any attempt to retrieve schema information from the server at runtime.
|
||||
The GraphQL server framework should be instructed to disable introspection in
|
||||
production environments. This prevents any attacker attempt to retrieve schema
|
||||
information from the server at runtime.
|
||||
|
||||
Each GraphQL framework will have a different method of doing this, possibly
|
||||
including:
|
||||
@ -118,7 +129,7 @@ ifdef::env-github,rspecator-view[]
|
||||
|
||||
=== Message
|
||||
|
||||
Disable introspection on this GraphQL server endpoint.
|
||||
Disable GraphQL introspection on production environments.
|
||||
|
||||
=== Highlighting
|
||||
|
||||
@ -126,4 +137,4 @@ Highlight the method or constructor call that is used to create the GraphQL
|
||||
framework's request handler.
|
||||
|
||||
'''
|
||||
endif::env-github,rspecator-view[]
|
||||
endif::env-github,rspecator-view[]
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user