search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.02k stars 2.76k forks source link

Hasura Core: Disabling Query Introspection does not work #8348

Open robmellett opened 2 years ago

robmellett commented 2 years ago

Version Information

Server Version: CLI Version (for CLI related issue):

Latest / Hasura Core [v2.3.1]

Environment

Core / Running on Docker

What is the expected behaviour?

Hi there,

Could you please clarify how you are supposed to disable introspection queries on Hasura Core?

There is no where in the Hasura UI/console to disable it.

Keywords

hasura, core, disable introspection

What is the current behaviour?

Upon reading the available Hasura Metadata API options at https://hasura.io/docs/latest/graphql/core/api-reference/metadata-api/introspection.html, sending the following request does not disable introspection for public/guest roles.

image

How to reproduce the issue?

  1. Send the following json request to your Hasura endpoint at http://localhost:8080/v1/metadata

Json Payload

{
    "type": "set_graphql_schema_introspection_options",
    "args": {
        "disabled_for_roles": [
            "guest",
            "public"
        ]
    }
}

With the headers

Content-Type:  application/json
X-Hasura-Role: admin
x-hasura-admin-secret: {{your admin secret}}

  1. Hasura responds with a 200 json response.

    {
"message": "success"
}

  2. Export the hasura metadata.

I can see a new file in metadata directory has been created graphql_schema_introspection.yaml

with the contents.

disabled_for_roles:
- guest
- public
  1. When running an introspection query as a public/guest role, you can still see introspection results.

http://localhost:8080/v1/graphql

with the headers

Content-Type: application/json
X-Hasura-Role: public

graphql payload

{
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}

responds with

{
    "data": {
        "__schema": {
            "queryType": {
                "fields": [
                    // introspection results
                ]
            }
        }
    }
}

Screenshots or Screencast

image

Please provide any traces or logs that could help here.

When sending an admin request to disable the introspection options

{"type":"http-log","timestamp":"2022-03-24T01:16:53.922+0000","level":"info","detail":{"operation":{"query_execution_time":0.423416126,"user_vars":{"x-hasura-role":"admin"},"request_id":"22872e9b-c2a8-4f02-9375-c4e0d7c4eabb","response_size":21,"query":{"args":{"disabled_for_roles":["guest","public"]},"type":"set_graphql_schema_introspection_options"},"request_mode":"non-graphql","request_read_time":3.833e-6},"request_id":"22872e9b-c2a8-4f02-9375-c4e0d7c4eabb","http_info":{"status":200,"http_version":"HTTP/1.1","url":"/v1/metadata","ip":"192.168.0.1","method":"POST","content_encoding":null}}}
tirumaraiselvan commented 2 years ago

This functionality is available in Hasura Cloud and EE editions only. In open source version, this setting would be ignored.

maddygoround commented 2 years ago

This is a valid question. Our Testing team have raised this as a security concern. Please suggest a way to disable it on hasura core.

hongbo-miao commented 2 years ago

Hasura is an awesome project! And I can understand why the team didn't add this feature in the Hasura CE Open Source.

Just provide two ways:

First, you can enable Hasura Allow Lists.

Second, if you don't want to enable Hasura Allow Lists for more freedom, you can put a reverse proxy such as Traefik in the front and use Disable GraphQL Introspection plugin I created. 😃

image
hynra commented 1 year ago

if you use Nginx as a reverse proxy and want to disable GraphQL Introspection, you can use the Nginx js module and validate the request body: nginx-disable-graphql-introspection