Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable introspection on prod sizing #1704

Merged
merged 2 commits into from
Nov 20, 2024
Merged

Disable introspection on prod sizing #1704

merged 2 commits into from
Nov 20, 2024

Conversation

noah-paige
Copy link
Contributor

Feature or Bugfix

Detail

  • Disable introspection on prod_sizing

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes
    fetching data from storage outside the application (e.g. a database, an S3 bucket)?
    • Is the input sanitized?
    • What precautions are you taking before deserializing the data you consume?
    • Is injection prevented by parametrizing queries?
    • Have you ensured no eval or similar functions are used?
  • Does this PR introduce any functionality or component that requires authorization?
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
    • Are you logging failed auth attempts?
  • Are you using or adding any cryptographic features?
    • Do you use a standard proven implementations?
    • Are the used keys controlled by the customer? Where are they stored?
  • Are you introducing any new policies/roles/users?
    • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@noah-paige noah-paige self-assigned this Nov 19, 2024
@noah-paige
Copy link
Contributor Author

noah-paige commented Nov 19, 2024
edited
Loading

testing:

  • CICD Pipeline Successful
  • Updates to Env Vars in API Handler Lambda
  • Introspection Disabled (query returns error if attempt introspection with ALLOW_INTROSPECTION False - i.e. prod_sizing True)
  • Field Suggestions Disabled (query error message does not includ 'Did you mean ....?' if provided mistyped return field with ALLOW_INTROSPECTION False - prod_sizing True)

dlpzx
dlpzx reviewed Nov 20, 2024
View reviewed changes
backend/api_handler.py
ALLOW_INTROSPECTION = True if os.getenv('ALLOW_INTROSPECTION') == 'True' else False

if not ALLOW_INTROSPECTION:
did_you_mean.__globals__['MAX_LENGTH'] = 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, what is this doing? It is using https://graphql-core-3.readthedocs.io/en/latest/modules/pyutils.html#graphql.pyutils.did_you_mean, but what is it accessing?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is to disable suggestions returned by the GQL server to avoid exposing fields.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes exactly - disabling field suggestions when mistyped by client

@noah-paige noah-paige merged commit f5ddf36 into main Nov 20, 2024
10 checks passed
@noah-paige noah-paige deleted the introspection-config branch November 20, 2024 12:38
@dlpzx dlpzx mentioned this pull request Dec 4, 2024
Closed
dlpzx pushed a commit that referenced this pull request Dec 5, 2024
@noah-paige @dlpzx
Disable introspection on prod sizing (#1704)
5c71242 
<!-- please choose -->
-

- Disable introspection on `prod_sizing`

- <URL or Ticket>

Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@dlpzx dlpzx mentioned this pull request Dec 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlpzx dlpzx dlpzx approved these changes

@petrkalos petrkalos petrkalos approved these changes

Assignees

@noah-paige noah-paige

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@noah-paige @petrkalos @dlpzx