Backport NoSchemaIntrospectionCustomRule from graphql@15.2.0

artsy · Sep 2, 2020 · 11bcb57 · 11bcb57
1 parent c88a896
commit 11bcb57
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 3 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -33,7 +33,9 @@ import { ErrorExtension } from "./extensions/errorExtension"
 import { LoggingExtension } from "./extensions/loggingExtension"
 import { principalFieldDirectiveExtension } from "./extensions/principalFieldDirectiveExtension"
 import { principalFieldDirectiveValidation } from "validations/principalFieldDirectiveValidation"
+import { NoSchemaIntrospectionCustomRule } from "validations/noSchemaIntrospectionCustomRule"
 import * as Sentry from "@sentry/node"
+// import { ASTVisitor } from "graphql"
 
 const {
   ENABLE_REQUEST_LOGGING,
@@ -220,7 +222,13 @@ function startApp(appSchema, path: string) {
           userAgent,
         }
 
-        const validationRules = [principalFieldDirectiveValidation]
+        const validationRules: any[] = [principalFieldDirectiveValidation]
+        if (
+          // PRODUCTION_ENV &&
+          req.headers["Authorization"] != "Bearer <SOMESECRET>"
+        )
+          validationRules.push(NoSchemaIntrospectionCustomRule)
+
         if (QUERY_DEPTH_LIMIT)
           validationRules.push(depthLimit(QUERY_DEPTH_LIMIT))
 

diff --git a/src/validations/noSchemaIntrospectionCustomRule.ts b/src/validations/noSchemaIntrospectionCustomRule.ts
@@ -0,0 +1,41 @@
+import {
+  ASTVisitor,
+  GraphQLError,
+  FieldNode,
+  ValidationContext,
+  getNamedType,
+  isIntrospectionType,
+} from "graphql"
+
+// Adapted from https://github.com/graphql/graphql-js/pull/2600.
+// TODO: replace once using graphql >=15.2.0
+
+/**
+ * Prohibit introspection queries
+ *
+ * A GraphQL document is only valid if all fields selected are not fields that
+ * return an introspection type.
+ *
+ * Note: This rule is optional and is not part of the Validation section of the
+ * GraphQL Specification. This rule effectively disables introspection, which
+ * does not reflect best practices and should only be done if absolutely necessary.
+ */
+export const NoSchemaIntrospectionCustomRule = (
+  context: ValidationContext
+): ASTVisitor => {
+  return {
+    Field(node: FieldNode) {
+      const contextType = context.getType()
+      if (!contextType) return
+      const type = getNamedType(contextType)
+      if (type && isIntrospectionType(type)) {
+        context.reportError(
+          new GraphQLError(
+            `GraphQL introspection has been disabled, but the requested query contained the field "${node.name.value}".`,
+            node
+          )
+        )
+      }
+    },
+  }
+}
diff --git a/src/validations/principalFieldDirectiveValidation.ts b/src/validations/principalFieldDirectiveValidation.ts
@@ -1,6 +1,6 @@
-import { GraphQLError, BREAK } from "graphql"
+import { GraphQLError, BREAK, ASTVisitor } from "graphql"
 
-export const principalFieldDirectiveValidation = (context) => {
+export const principalFieldDirectiveValidation = (context): ASTVisitor => {
   let directivesSeen = 0
   return {
     Directive(node) {