Closed misohouse closed 7 months ago
nino-filigran
commented
7 months ago @misohouse could you be more explicit regarding "security reasons", since as you have mentioned, if you do not have the proper rights, you would not see this?
Reading through your ticket makes me also think: would you see this as a capability, that you would grant to only to certain users (such as admin or senior analysts), or more a platform config, that you can turn on/off for all your users?
misohouse
commented
7 months ago @nino-filigran
First, there is the possibility of being vulnerable to SQL Injection type of attacks by exposing the table structure.
Also, due to the nature of GraphQL, where there are no restrictions on the query string, there is the possibility of accessing more information than you are authorized to due to permissions issues.
Furthermore, if API calls from multiple users or multiple queries are executed via GraphQL, there is a possibility of DB server availability issues.
Finally, there is the possibility of increasing the workload of security staff, such as managing API permissions or GraphQL permissions and monitoring usage.
Therefore, I don't think it's necessary to take these security risks and expose API features and Playgreound to general users.
It would be nice if this could be changed so that users can only see these screens if an administrator grants them permission.
nino-filigran
commented
7 months ago @misohouse thanks for your response.
I've passed on your feedback to our devs which were a bit skeptical regarding the potential risks addressed here.
Indeed, given that there's no SQL, the SQL injection does not seem relevant to the team. Additionally, it's our team's job to ensure that the user rights are in place at a low level (elastic) and therefore, you are not able to access any data you should not. If you can provide me with an example of data you can fetch that you have no rights to see, we'll be happy to investigate and correct this. Regarding availability issues or workload, it's not something that seem to pose any risk on our side.
As a result, it's not a feature that we're considering. If for whatever reason though you do find any evidence of the risks you have mentioned, we'll be the first ones to jump on it and investigate.
Feel free to re-open if you disagree with this or if you have any other comment.
richard-julien
commented
7 months ago Hi @misohouse,
I understand your concern about security and to open the graphql schema introspection queries. Introspection allow user to have autocompletion in the playground and so simplify the understanding of the API. However if you want to prevent that you can totally disable this.
If you want to disable completely the playground, you can configure to enable = false the playground. You can also just disable the introspection by putting true to force_disabled_introspection
"app": {
"graphql": {
"armor_enabled": false,
"playground": {
"enabled": true,
"force_disabled_introspection": false
}
}
}We also have the option armor_enabled to put to true to protect ddos and depth queries but for now its experimental.
Currently, the API and playground are accessible from the user profile change screen with minimal permissions.
I find this very risky for security reasons, is it possible to disable this menu or make it invisible altogether?
Of course, you don't see much information because you're not given any permissions, but even so, I don't think it's necessary to open this up to the general public.