Improve Security of GraphiQL #508
Conversation
| @@ -24,41 +24,13 @@ | |||
| </head> | |||
| <body> | |||
| <script> | |||
|
|
|||
There was a problem hiding this comment.
This was me "boyscouting" to make the code more readable, but I decided it was unnecessary when I re-did these changes.
|
Might be better to fill the query into the editor, and only execute it when the button is pressed. A further security measure could be to use a warning dialogue for queries loaded from the URL when the submit button is pressed? |
|
What about using a fragment instead? |
I think these are orthogonal concerns, but I will look into doing them.
Good call, I will do this. |
We can also now return GraphiQL earlier in the request handling.
danpalmer
force-pushed
the
graphiql-no-querystring
branch
from
58e7986 to
9a5b355
Compare
|
@graingert can you re-review please. I think this implements everything you suggested, if I understood correctly. Also special cased browser refreshes so that you don't get prompted to allow the query if you're just refreshing the page (which I frequently do to refresh the schema). |
danpalmer
changed the title
| @@ -41,7 +41,7 @@ | |||
| }); | |||
| // Produce a Location query string from a parameter object. | |||
There was a problem hiding this comment.
This comment isn't quite right anymore
| var isReload = window.performance ? performance.navigation.type === 1 : false; | ||
| if (Object.keys(parameters).length | ||
| && !isReload | ||
| && !window.confirm("An untrusted query has been loaded, continue loading query?")) { |
There was a problem hiding this comment.
Might be worth including an explanation of why running an untrusted query might be a bad idea, and what damage it could cause.
Also something like "if you're not sure click cancel"
This is the Facebook devtools warning for eg:
Stop!
This is a browser feature intended for developers. If someone told you to copy and paste something here to enable a Facebook feature or "hack" someone's account, it is a scam and will give them access to your Facebook account.
See https://www.facebook.com/selfxss for more information.
|
Looks like handling untrusted input on submission will need changes in Graphiql |
This also allows the introspection query through so that the user can edit with intellisense before being prompted.
|
@graingert I'm not sure it will. I've updated with my implementation, although I'm not sure that it's perfect. |
| document.body | ||
| ); | ||
| </script> | ||
| <script src="{% static "graphene_django/graphiql.js" %}"></script> |
There was a problem hiding this comment.
Doesn't this imply graphene_django relies on staticfiles now?
There was a problem hiding this comment.
Yes. Do you think that needs documenting? I don’t know how optional it is in Django.
|
@syrusakbary could you take a look at this and let me know what you think? For what it's worth, the main issue - GraphQL queries being in the URL query-string has bitten us and we'll probably have to disable GraphiQL if we can't find a way to improve the security. |
|
Hey @danpalmer, thanks for the PR. Thanks to the way the GraphQL view is architected, mutations will not be executed if the request is coming through a GET request (meaning: someone accessing an URL from the browser). I think, rather than disabling eager GraphQL execution at all times, we can just have a flag like: graphiql_eager_execution = True / FalseThat will indicate to execute the GraphQL query in GraphiQL eagerly or not. The code for the GraphQL view / GraphiQL integration is highly inspired by how graphql-express works. Demo of GraphiQL here: https://graphql.org/swapi-graphql/ Thoughts? |
Yeah I noticed this, it's a good decision. How about we always eagerly execute queries, and prompt the user for mutations. I think it's worth being clear about the untrusted nature of the mutations.
Thanks for this, I'm not familiar with other implementations. I agree that we should try to work in a similar way, although I think the change to using a fragment rather than the query string to store the query is an important security feature - so a place where I think it's worth breaking away from their design.
Also, apologies for this, I received feedback that it could be read as much more hostile than I intended. The query string change is necessary for us to start exposing GraphiQL to other developers internally, so I'm happy to make whatever changes are necessary for this to be merged. |
The only security risk here is persuading a user to execute a mutation, which is probably not a big risk. To mitigate this risk and still keep the same UX (that is so valuable), would require more work than is proportionate for this PR.
|
@syrusakbary thanks for all the feedback on this. I've backed out the changes to query execution in GraphiQL for now as I think they need more thought, or just for the change to be made in GraphiQL itself. Updated the PR description with the features this now implements. Would be great to get this reviewed and merged! |
|
Great, will take a time to review it practically tomorrow :) |
|
This PR will make |
|
Hey, quick ping on this. I believe all feedback has been addressed and that it's ready for merge. |
|
@syrusakbary any update on this? |
|
I believe this is ready to merge and that I've addressed all review points. If there's something outstanding here please let me know – I'm happy to address! Would be nice to get this merged soon though. |
|
@jkimbo are you able to take a look and merge? |
There was a problem hiding this comment.
@danpalmer unfortunately I don't have write access so you'll have to wait on @syrusakbary
Code looks good though 👍
|
@syrusakbary ping on this. It's been hanging around for a while and I don't want it to bit rot. Also we're scaling up the number of devs working with GraphQL, so we would appreciate the security enhancements here (notably not logging the queries in webserver logs). |
|
@syrusakbary @patrick91 @grantmcconnaughey @pizzapanther @spockNinja @RadoRado Paging contributors. Apologies for the mentions but we've tried pinging and bumping this and haven't get anywhere so far. It would be a real shame for This PR is good to go, it's been reviewed, all criticism so far has been addressed (sufficiently I believe). We're more than happy to fix any additional code review points, but otherwise it would be great to get clarity on why this isn't being merged, especially as it's addressing a security vulnerability. |
|
I can approve but I don't have merge permissions, unfortunately |
|
It seems like we have quite high bus factor on this repo. Who has merge permissions? Can they be extended to other frequent contributors like @patrick91 or @jkimbo? |
|
@patrick91 it looks like you do have merge permissions? GitHub requires "1 approving review by reviewers with write access", and it's listing you under that. |
|
Even if you have GitHub permission what about pypi to publish it? |
|
@pizzapanther merging would at least prevent this PR from bitrotting and would allow people to target the master branch in their requirements if they really wanted to, so I think it would be an improvement, but yes PyPI access would be ideal. |
|
@danpalmer this is what I get, even when there's other reviews from members of the org I can push to the repo, but not on master :) |
|
Ah damn, sounds like GitHub PR review requirements and protected branches aren't fully compatible. Thanks for checking though! |
|
@syrusakbary Ping on this. Would be good to talk about the process for PRs getting merged and releases getting shipped in the long run, it would be a real shame for this package to be unmaintained. |
|
Hi @danpalmer, sorry for the long delay here. I'm working on laying out a plan for Graphene so things like this can be reviewed and merged without my explicit approval, and the project can continue growing at a healthy pace. |
|
We should call the person who did flatmap-stream on npm. Think he likes to take over projects. 🤣 |
finally! |
|
Ok, I'm starting to roll the plan. Please take a look on the main issue in Graphene to provide input and feedback into how you think Graphene can be governed in the long term :) |
|
@jkimbo thanks! |
This PR makes the following security improvements to GraphiQL in graphene-django.