Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NoSchemaIntrospectionCustomRule #2600

Merged
merged 1 commit into from Jun 20, 2020
Merged

Add NoSchemaIntrospectionCustomRule #2600

merged 1 commit into from Jun 20, 2020

Conversation

danielrearden
Copy link
Contributor

@IvanGoncharov IvanGoncharov added the PR: feature 🚀 requires increase of "minor" version number label Jun 2, 2020
@IvanGoncharov
Copy link
Member

@danielrearden Thanks, looks very tidy and match the style of other rules 👍

I give it more though and technically __typename is also introspection field so we can't call it NoIntrospectionFields 😞
Also, we have other fields that can leak similar info for example Apollo federation has _service that returns SDL.
So I more incline towards more generic rules like:

Also, I think in this case being able to customize error messages would be very helpful.

But I'm not sure if I'm overcomplicating it or not so I need more time to think.
Meanwhile, if you have time you can work on #2601 which is very similar to this one.

@IvanGoncharov
Copy link
Member

@danielrearden Actually scratch it this rule is very short so config for the more generic rule would be more longer that rule itself.
So back the initial question, __typename is also introspection field so we need to change rule name.
How about BanIntrospectionQueriesRule?

@danielrearden
Copy link
Contributor Author

How about BanIntrospectionQueriesRule?

@IvanGoncharov That makes sense. Would NoIntrospectionQueriesRule be more inline with the existing rule names?

@IvanGoncharov
Copy link
Member

Would NoIntrospectionQueriesRule be more inline with the existing rule names?

@danielrearden Generally, yes. But in this case, we forbid something that is totally valid and you ban it because of your own preference/requirements not even because it represents best practice.
Speaking of this can you please expand description with some strong wording asking not to use this rule unless it's absolutely necessary.

@danielrearden danielrearden changed the title Add NoIntrospectionFieldsRule Add ProhibitIntrospectionQueriesRule Jun 3, 2020
@danielrearden
Copy link
Contributor Author

@IvanGoncharov

  • Changed name to ProhibitIntrospectionQueriesRule
  • Updated rule logic to just check the field type
  • Moved rule to /rules/optional
  • Updated comment to include usage warning
  • Added test for non-standard introspection fields -- ended up using expectValidationRulesWithSchema anyway so I wouldn't have to touch the harness schema
  • Had to build schema programmatically since buildSchema doesn't support using introspection types for fields

The use of introspection types with user-defined fields is unconventional but I don't believe it's prohibited by the spec. Since the rule just tests the field's type, it's possible it would also throw in the event a non-standard introspection field like that was requested. I think that behavior lines up with the intent behind the rule.

@danielrearden danielrearden force-pushed the no-introspection-rule branch 2 times, most recently from e95cc70 to f291cf3 Compare June 3, 2020 02:19
@danielrearden
Copy link
Contributor Author

@IvanGoncharov Ok, that should be all of it 😓

IvanGoncharov
IvanGoncharov reviewed Jun 3, 2020
View reviewed changes
.vscode/settings.json Outdated Show resolved Hide resolved
@IvanGoncharov
Copy link
Member

IvanGoncharov commented Jun 4, 2020
edited

@danielrearden Forget about this one.
But it too late in my timezone so I will go to 🛌 and will check it tomorrow.

P.S. It's totally okay to ping in comments after you addressed all review comments.
Moreover actually makes my life easier since I don't need to check all current PRs to see their statuses 😄

@danielrearden danielrearden changed the title Add ProhibitIntrospectionQueriesRule Add NoSchemaIntrospectionCustomRule Jun 6, 2020
IvanGoncharov
IvanGoncharov reviewed Jun 20, 2020
View reviewed changes
src/validation/__tests__/NoSchemaIntrospectionCustomRule-test.js Outdated
},
},
}),
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danielrearden I merged #2608 so now buildSchema should work fine can you please use it instead.

@IvanGoncharov IvanGoncharov merged commit 00077f1 into graphql:master Jun 20, 2020
@joeyAghion joeyAghion mentioned this pull request Sep 2, 2020
Merged
joeyAghion added a commit to joeyAghion/metaphysics that referenced this pull request Sep 2, 2020
@joeyAghion
Backport NoSchemaIntrospectionCustomRule from graphql@15.2.0
1688b5e 
This rule is adapted from graphql/graphql-js#2600
and should be replaced once using graphql >=15.2.0.

Co-authored by: dzucconi <mail@damonzucconi.com>
joeyAghion added a commit to joeyAghion/metaphysics that referenced this pull request Sep 2, 2020
@joeyAghion
Backport NoSchemaIntrospectionCustomRule from graphql@15.2.0
8da24c7 
This rule is adapted from graphql/graphql-js#2600
and should be replaced once using graphql >=15.2.0.

Co-authored by: dzucconi <mail@damonzucconi.com>
@snyk-bot snyk-bot mentioned this pull request Apr 17, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@IvanGoncharov IvanGoncharov IvanGoncharov left review comments

Assignees
No one assigned
Labels
PR: feature 🚀 requires increase of "minor" version number
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@danielrearden @IvanGoncharov