wpetit
/
super-graph
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix: block introspection queries in production mode

This commit is contained in:
Vikram Rangnekar 2020-04-20 02:06:58 -04:00
parent 966aa9ce8c
commit 0a02bde219
2 changed files with 23 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
core/api.go
View File

@ -160,15 +160,24 @@ type Result struct {
// In developer mode all names queries are saved into a file `allow.list` and in production mode only // In developer mode all names queries are saved into a file `allow.list` and in production mode only
// queries from this file can be run. // queries from this file can be run.
func (sg *SuperGraph) GraphQL(c context.Context, query string, vars json.RawMessage) (*Result, error) { func (sg *SuperGraph) GraphQL(c context.Context, query string, vars json.RawMessage) (*Result, error) {
// try to use the sg.Engine to execute introspection queries... var res Result
res := sg.Engine.ExecuteOne(&graphql.EngineRequest{ Query: query})
if res.Error()==nil { res.op = qcode.GetQType(query)
r := &Result{} res.name = allow.QueryName(query)
r.Data = res.Data
return r, nil // use the chirino/graphql library for introspection queries
// disabled when allow list is enforced
if !sg.conf.UseAllowList &&
res.op == qcode.QTQuery &&
res.name == "IntrospectionQuery" {
r := sg.Engine.ExecuteOne(&graphql.EngineRequest{Query: query})
res.Data = r.Data
return &res, r.Error()
} }
ct := scontext{Context: c, sg: sg, query: query, vars: vars} ct := scontext{Context: c, sg: sg, query: query, vars: vars, res: res}
if len(vars) <= 2 { if len(vars) <= 2 {
ct.vars = nil ct.vars = nil
@ -180,9 +189,6 @@ func (sg *SuperGraph) GraphQL(c context.Context, query string, vars json.RawMess
ct.role = "anon" ct.role = "anon"
} }
ct.res.op = qcode.GetQType(query)
ct.res.name = allow.QueryName(query)
data, err := ct.execQuery() data, err := ct.execQuery()
if err != nil { if err != nil {
return &ct.res, err return &ct.res, err

9
internal/serv/http.go
View File

@ -74,9 +74,14 @@ func apiV1(w http.ResponseWriter, r *http.Request) {
return return
} }
doLog := true
res, err := sg.GraphQL(ct, req.Query, req.Vars) res, err := sg.GraphQL(ct, req.Query, req.Vars)
if logLevel >= LogLevelDebug { if !conf.Production && res.QueryName() == "IntrospectionQuery" {
doLog = false
}
if doLog && logLevel >= LogLevelDebug {
log.Printf("DBG query %s: %s", res.QueryName(), res.SQL()) log.Printf("DBG query %s: %s", res.QueryName(), res.SQL())
} }
@ -87,7 +92,7 @@ func apiV1(w http.ResponseWriter, r *http.Request) {
json.NewEncoder(w).Encode(res) json.NewEncoder(w).Encode(res)
if logLevel >= LogLevelInfo { if doLog && logLevel >= LogLevelInfo {
zlog.Info("success", zlog.Info("success",
zap.String("op", res.Operation()), zap.String("op", res.Operation()),
zap.String("name", res.QueryName()), zap.String("name", res.QueryName()),