Blocking introspection queries.

2026-06-05 23:03:48 +00:00 · 2023-10-08 18:07:24 +01:00
parent eee6016b5a
commit 3ac7c115aa
8 changed files with 62 additions and 4 deletions
@@ -4,10 +4,34 @@ import (
 	fiber "github.com/gofiber/fiber/v2"
 	"github.com/graphql-go/graphql/language/ast"
 	"github.com/graphql-go/graphql/language/parser"
+	"github.com/k0kubun/pp"
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )

-func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool) {
+var retrospection_queries = []string{
+	"__schema",
+	"__type",
+	"__typename",
+	"__directive",
+	"__directivelocation",
+	"__field",
+	"__inputvalue",
+	"__enumvalue",
+	"__typekind",
+	"__fieldtype",
+	"__inputobjecttype",
+	"__enumtype",
+	"__uniontype",
+	"__scalars",
+	"__objects",
+	"__interfaces",
+	"__unions",
+	"__enums",
+	"__inputobjects",
+	"__directives",
+}
+
+func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool, should_block bool) {
 	m := make(map[string]interface{})
 	err := json.Unmarshal(c.Body(), &m)
 	if err != nil {
@@ -44,7 +68,24 @@ func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cache
 					cacheRequest = true
 				}
 			}
+			if cfg.Security.BlockIntrospection {
+				for _, s := range oper.SelectionSet.Selections {
+					for _, s2 := range s.GetSelectionSet().Selections {
+						pp.Println(s2.(*ast.Field).Name.Value)
+						for _, introspection_query := range retrospection_queries {
+							if s2.(*ast.Field).Name.Value == introspection_query {
+								cfg.Logger.Warning("Introspection query blocked", m)
+								cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+								c.Status(403).SendString("Introspection queries are not allowed")
+								should_block = true
+								return
+							}
+						}
+					}
+				}
+			}
 		}
 	}
+
 	return
 }