-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) #9819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
🚀 Thanks for opening this pull request! |
📝 WalkthroughWalkthroughA new configuration option, Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant ApolloServer
participant IntrospectionControlPlugin
participant ParseGraphQLServer
Client->>ApolloServer: Sends GraphQL query (may include introspection)
ApolloServer->>IntrospectionControlPlugin: requestDidStart
IntrospectionControlPlugin->>IntrospectionControlPlugin: didResolveOperation
alt Public introspection disabled AND not master/maintenance user AND query is introspection
IntrospectionControlPlugin-->>ApolloServer: Throw GraphQLError (403)
ApolloServer-->>Client: Respond with 403 error
else
ApolloServer->>ParseGraphQLServer: Process query
ParseGraphQLServer-->>ApolloServer: Result
ApolloServer-->>Client: Respond with result
end
sequenceDiagram
participant AdminClient
participant ApolloServer
participant IntrospectionControlPlugin
AdminClient->>ApolloServer: Sends introspection query with master/maintenance key
ApolloServer->>IntrospectionControlPlugin: requestDidStart
IntrospectionControlPlugin->>IntrospectionControlPlugin: didResolveOperation
Note right of IntrospectionControlPlugin: Master/maintenance key detected
ApolloServer-->>AdminClient: Introspection result returned
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ast-grep (0.38.1)spec/ParseGraphQLServer.spec.js🔧 ESLint
npm warn EBADENGINE Unsupported engine { 📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## alpha #9819 +/- ##
==========================================
- Coverage 93.00% 92.99% -0.01%
==========================================
Files 187 187
Lines 15082 15094 +12
Branches 174 174
==========================================
+ Hits 14027 14037 +10
- Misses 1043 1045 +2
Partials 12 12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Nitpick comments (3)
src/middlewares.js (1)
542-544
: Empty Redis event handlers add noise; either remove or emit debug logsThree Redis client event handlers (
connect
,reconnecting
,ready
) are registered with completely empty callbacks.
They do not contribute functional value and slightly increase cognitive load. Consider:-client.on('connect', () => { }); -client.on('reconnecting', () => { }); -client.on('ready', () => { }); +// Optional: emit debug-level logs to aid troubleshooting, or drop the listeners entirely +if (log.level === 'debug') { + client.on('connect', () => log.debug('Redis connected')); + client.on('reconnecting', () => log.debug('Redis reconnecting')); + client.on('ready', () => log.debug('Redis ready')); +}Removing no-op handlers keeps the codebase tidier; adding lightweight logging gives visibility during ops without altering behaviour.
spec/ParseGraphQLServer.spec.js (2)
6663-6663
: Fix indentation to maintain consistency.The static analysis correctly identified an indentation issue.
Apply this fix:
- object4.className.charAt(0).toLowerCase() + object4.className.slice(1) + object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
11267-11285
: Fix multiple indentation issues in GraphQL type definition.The static analysis identified several indentation issues that need to be corrected.
Apply this fix:
const SomeClassType = new GraphQLObjectType({ - name: 'SomeClass', - fields: { - nameUpperCase: { - type: new GraphQLNonNull(GraphQLString), - resolve: p => p.name.toUpperCase(), + name: 'SomeClass', + fields: { + nameUpperCase: { + type: new GraphQLNonNull(GraphQLString), + resolve: p => p.name.toUpperCase(), }, - type: { type: TypeEnum }, - language: { - type: new GraphQLEnumType({ - name: 'LanguageEnum', - values: { - fr: { value: 'fr' }, - en: { value: 'en' }, - }, - }), - resolve: () => 'fr', - }, - }, - }), + type: { type: TypeEnum }, + language: { + type: new GraphQLEnumType({ + name: 'LanguageEnum', + values: { + fr: { value: 'fr' }, + en: { value: 'en' }, + }, + }), + resolve: () => 'fr', + }, + }, + }),
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
spec/ParseGraphQLServer.spec.js
(17 hunks)spec/SecurityCheckGroups.spec.js
(3 hunks)src/GraphQL/ParseGraphQLServer.js
(3 hunks)src/Options/Definitions.js
(1 hunks)src/Options/docs.js
(1 hunks)src/Options/index.js
(1 hunks)src/Security/CheckGroups/CheckGroupServerConfig.js
(1 hunks)src/middlewares.js
(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
spec/SecurityCheckGroups.spec.js (3)
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.
Learnt from: mtrezza
PR: parse-community/parse-server#9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.
spec/ParseGraphQLServer.spec.js (4)
undefined
<retrieved_learning>
Learnt from: RahulLanjewar93
PR: #9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.
</retrieved_learning>
<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with done()
.
</retrieved_learning>
<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with done()
. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.
</retrieved_learning>
<retrieved_learning>
Learnt from: mtrezza
PR: #9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with done()
. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.
</retrieved_learning>
🪛 Biome (1.9.4)
src/Options/index.js
[error] 309-309: Expected a statement but instead found '?'.
Expected a statement here.
(parse)
🪛 GitHub Check: Lint
spec/ParseGraphQLServer.spec.js
[failure] 6663-6663:
Expected indentation of 16 spaces but found 14
[failure] 11275-11275:
Expected indentation of 16 spaces but found 14
[failure] 11274-11274:
Expected indentation of 14 spaces but found 12
[failure] 11273-11273:
Expected indentation of 14 spaces but found 12
[failure] 11272-11272:
Expected indentation of 14 spaces but found 12
[failure] 11271-11271:
Expected indentation of 16 spaces but found 14
[failure] 11270-11270:
Expected indentation of 16 spaces but found 14
[failure] 11269-11269:
Expected indentation of 14 spaces but found 12
[failure] 11268-11268:
Expected indentation of 12 spaces but found 10
[failure] 11267-11267:
Expected indentation of 12 spaces but found 10
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
- GitHub Check: Node 20
- GitHub Check: PostgreSQL 16, PostGIS 3.5
- GitHub Check: PostgreSQL 17, PostGIS 3.5
- GitHub Check: PostgreSQL 15, PostGIS 3.4
- GitHub Check: PostgreSQL 15, PostGIS 3.3
- GitHub Check: Redis Cache
- GitHub Check: PostgreSQL 15, PostGIS 3.5
- GitHub Check: Node 18
- GitHub Check: MongoDB 8, ReplicaSet
- GitHub Check: MongoDB 7, ReplicaSet
- GitHub Check: MongoDB 6, ReplicaSet
- GitHub Check: Docker Build
🔇 Additional comments (16)
src/Options/docs.js (1)
56-57
: Docs addition looks good
graphQLPublicIntrospection
is documented with defaultfalse
, matching implementation.src/Options/Definitions.js (1)
295-300
: Definition aligns with docs; ensure security check updatedThe new
graphQLPublicIntrospection
option is correctly wired with env var, boolean parser and defaultfalse
.
Confirm thatCheckGroupServerConfig
(or equivalent) flags this when set totrue
, to keep hardening consistent.src/Options/index.js (1)
309-312
: LGTM!The new
graphQLPublicIntrospection
configuration option is well-implemented with secure defaults (false) and proper documentation.spec/SecurityCheckGroups.spec.js (1)
36-36
: Tests correctly verify the new security check behavior.The tests properly validate that the security check passes when
graphQLPublicIntrospection
is false and fails when it's true, following the existing test patterns.Also applies to: 45-45, 52-52, 61-61
src/Security/CheckGroups/CheckGroupServerConfig.js (1)
83-92
: Security check implementation is well-structured and informative.The check correctly validates that GraphQL public introspection is disabled and provides clear guidance on the security implications and required configuration changes.
src/GraphQL/ParseGraphQLServer.js (2)
16-52
: Plugin implementation effectively controls GraphQL introspection access.The
IntrospectionControlPlugin
correctly restricts introspection based on configuration and user authorization. The string-based detection approach for__schema
is a reasonable performance trade-off, as acknowledged in the comments.
107-108
: Apollo Server configuration properly integrates the introspection control.The dynamic
introspection
setting and the addition of theIntrospectionControlPlugin
work together to enforce the configured introspection policy.spec/ParseGraphQLServer.spec.js (9)
53-53
: LGTM - Maintenance key configuration added.The addition of
maintenanceKey
to the server configuration is appropriate for testing the new introspection control functionality.
92-93
: Minor: Consistent arrow function usage.
128-128
: Minor: Consistent arrow function usage.
435-435
: Well-designed test helper enhancement.The addition of
parseGraphQLServerOptions
parameter and the use of spread operator to merge options provides good flexibility for testing different GraphQL server configurations.Also applies to: 452-452
493-494
: Good practice - Suppressing console output in tests.Adding spies for console methods prevents cluttered test output.
610-697
: Excellent test coverage for introspection control.The test suite comprehensively covers all aspects of the new introspection control functionality:
- Default disabled behavior
- Master key authorization
- Maintenance key authorization
- Explicit public introspection enablement
The tests properly use async/await patterns as per the codebase standards.
844-848
: Consistent authorization headers added.All introspection queries now properly include master key headers in the context, which is necessary for the new introspection access control.
Also applies to: 880-884, 1417-1421
969-969
: Minor: Consistent arrow function usage.Also applies to: 991-991
7557-7557
: Minor: Consistent arrow function usage.Also applies to: 7559-7559, 7598-7598, 7602-7602, 7668-7668, 7670-7670
## [8.2.2-alpha.1](8.2.1...8.2.2-alpha.1) (2025-07-10) ### Bug Fixes * Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) ([#9819](#9819)) ([c58b2eb](c58b2eb))
🎉 This change has been released in version 8.2.2-alpha.1 |
## [8.2.2](8.2.1...8.2.2) (2025-07-10) ### Bug Fixes * Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) ([#9819](#9819)) ([c58b2eb](c58b2eb))
🎉 This change has been released in version 8.2.2 |
Fixes security vulnerability GHSA-48q3-prgv-gm4w