lukaszraczylo/graphql-monitoring-proxy
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/graphql-monitoring-proxy.git synced 2026-06-05 23:03:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create allow list for event when intospection is blocked but developers

Browse Source 
really want to use certain subqueries.
This commit is contained in:
Lukasz Raczylo
2023-10-15 10:01:23 +01:00
parent 29ffb8a817
commit 2a0302ab75
4 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
graphql.go
+9 -1
View File
@@ -96,7 +96,15 @@ func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cache
if cfg.Security.BlockIntrospection {
for _, s := range oper.SelectionSet.Selections {
for _, s2 := range s.GetSelectionSet().Selections {
if _, exists := retrospectionQuerySet[s2.(*ast.Field).Name.Value]; exists {
if _, exists := retrospectionQuerySet[strings.ToLower(s2.(*ast.Field).Name.Value)]; exists {
if len(cfg.Security.IntrospectionAllowed) > 0 {
for _, introspectionQueryAllowed := range cfg.Security.IntrospectionAllowed {
if strings.EqualFold(strings.ToLower(introspectionQueryAllowed), strings.ToLower(s2.(*ast.Field).Name.Value)) {
cfg.Logger.Debug("Introspection query allowed, passing through", m)
return
}
}
}
cfg.Logger.Warning("Introspection query blocked", m)
cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
c.Status(403).SendString("Introspection queries are not allowed")