Merge #2348

2348: add middleware to disable introspection query r=tiftran a=tiftran used https://docs.graphene-python.org/en/v2.1.8/execution/middleware/ as reference Co-authored-by: Tif Tran <ttran@mozilla.com>
mozilla · Jun 19, 2023 · 5437bc3 · 5437bc3
2 parents 27ab5ed + 400799a
commit 5437bc3
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 4 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -38,7 +38,7 @@ jobs:
           command: pip install -U poetry
       - run:
           name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
       - restore_cache:
           keys:
             - v2-dependencies-{{ checksum "yarn.lock" }}
@@ -145,7 +145,7 @@ jobs:
             echo "source ~/venv/bin/activate" >> $BASH_ENV
       - run:
           name: Install requirements
-          command: poetry install --extras docs --no-interaction --verbose
+          command: poetry install --extras docs --no-interaction --verbose --no-ansi
       - run:
           name: Build docs
           command: |
@@ -209,7 +209,7 @@ jobs:
             echo "source ~/venv/bin/activate" >> $BASH_ENV
       - run:
           name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
       - run:
           name: Install node dependencies
           command: yarn install --frozen-lockfile

diff --git a/normandy/schema.py b/normandy/schema.py
@@ -9,4 +9,25 @@ class NormandyQuery(BaseQuery, RecipesQuery, StudiesQuery, graphene.ObjectType):
     pass
 
 
+class DisableIntrospectionMiddleware:
+    """
+    This class hides the introspection. As it is best practice to not allow introspection queries
+    in production. ref: https://docs.graphene-python.org/en/latest/execution/queryvalidation/#disable-introspection
+    """
+
+    def resolve(self, next, root, info, **kwargs):
+        # introspection fields taken from https://graphql.org/learn/introspection/
+        if info.field_name.lower() in [
+            "__Schema",
+            "__Type",
+            "__TypeKind",
+            "__Field",
+            "__InputValue",
+            "__EnumValue",
+            "__Directive",
+        ]:
+            return None
+        return next(root, info, **kwargs)
+
+
 schema = graphene.Schema(query=NormandyQuery)
diff --git a/normandy/settings.py b/normandy/settings.py
@@ -102,7 +102,12 @@ class Core(Configuration):
         "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.NamespaceVersioning",
     }
 
-    GRAPHENE = {"SCHEMA": "normandy.schema.schema"}
+    GRAPHENE = {
+        "SCHEMA": "normandy.schema.schema",
+        "MIDDLEWARE": [
+            "normandy.schema.DisableIntrospectionMiddleware",
+        ],
+    }
 
     # Content Security Policy
     def CSP_DEFAULT_SRC(self):