Skip to content

feat: Add configurable validation security rules #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 7, 2021
Merged

feat: Add configurable validation security rules #1244

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8934da3
feat: Add configurable validation security rules:
akhomy Oct 1, 2021
35da264
Implements PR CRs.
akhomy Oct 5, 2021
a30121b
Fix the server form to use a config property instead of the getter. F…
akhomy Oct 6, 2021
41ac0fa
Revert back ServerForm to use ServerInterface.
akhomy Oct 6, 2021
01a510d
Refactor to use variables instead of direct config call.
akhomy Oct 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions config/schema/graphql.schema.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ graphql.graphql_servers.*:
batching:
type: boolean
label: 'Batching'
disable_introspection:
type: boolean
label: 'Disable Introspection'
query_depth:
type: integer
label: 'Max query depth'
query_complexity:
type: integer
label: 'Max query complexity'
schema_configuration:
type: 'graphql.schema.[%parent.schema]'
persisted_queries_settings:
Expand Down
90 changes: 88 additions & 2 deletions src/Entity/Server.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
use GraphQL\Server\Helper;
use GraphQL\Type\Definition\ResolveInfo;
use GraphQL\Validator\DocumentValidator;
use GraphQL\Validator\Rules\DisableIntrospection;
use GraphQL\Validator\Rules\QueryComplexity;
use GraphQL\Validator\Rules\QueryDepth;

/**
* The main GraphQL configuration and request entry point.
Expand Down Expand Up @@ -59,7 +62,10 @@
* "endpoint",
* "debug_flag",
* "caching",
* "batching"
* "batching",
* "disable_introspection",
* "query_depth",
* "query_complexity"

This comment was marked as resolved.

Sign in to view

* },
* links = {
* "collection" = "/admin/config/graphql/servers",
Expand Down Expand Up @@ -498,10 +504,90 @@ protected function getValidationRules() {
return [];
}

return array_values(DocumentValidator::defaultRules());
$rules = array_values(DocumentValidator::defaultRules());
if ($this->getDisableIntrospection()) {
$rules[DisableIntrospection::class] = new DisableIntrospection();
}
if ($this->getQueryDepth()) {
$rules[QueryDepth::class] = new QueryDepth($this->query_depth);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, we forgot to add the new properties to the class and document them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@klausi , my bad, I forgot to use the appropriate getter. Added it in a new commit.

}
if ($this->getQueryComplexity()) {
$rules[QueryComplexity::class] = new QueryComplexity($this->query_complexity);
}

return $rules;
};
}

/**
* Gets disable introspection config.
*
* @return bool
* The disable introspection config, FALSE otherwise.
*/
public function getDisableIntrospection(): bool {
return (bool) $this->get('disable_introspection');
}

/**
* Sets disable introspection config.
*
* @param bool $introspection
* The value for the disable introspection config.
*
* @return $this
*/
public function setDisableIntrospection(bool $introspection) {
$this->set('disable_introspection', $introspection);
return $this;
}

/**
* Gets query depth config.
*
* @return int|null
* The query depth, NULL otherwise.
*/
public function getQueryDepth(): ?int {
return (int) $this->get('query_depth');
}

/**
* Sets query depth config.
*
* @param int $depth
* The value for the query depth config.
*
* @return $this
*/
public function setQueryDepth(int $depth) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

type hint should be ?int so that you can disable this setting, right?

$this->set('query_depth', $depth);
return $this;
}

/**
* Gets query complexity config.
*
* @return int|null
* The query complexity, NULL otherwise.
*/
public function getQueryComplexity(): ?int {
return (int) $this->get('query_complexity');
}

/**
* Sets query complexity config.
*
* @param int $complexity
* The value for the query complexity config.
*
* @return $this
*/
public function setQueryComplexity(int $complexity) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

$this->set('query_complexity', $complexity);
return $this;
}

/**
* {@inheritDoc}
*/
Expand Down
28 changes: 27 additions & 1 deletion src/Form/ServerForm.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public function ajaxSchemaConfigurationForm(array $form) {
*/
public function form(array $form, FormStateInterface $formState): array {
$form = parent::form($form, $formState);
/** @var \Drupal\graphql\Entity\ServerInterface $server */
/** @var \Drupal\graphql\Entity\Server $server */
$server = $this->entity;
$schemas = array_map(function ($definition) {
return $definition['name'] ?? $definition['id'];
Expand Down Expand Up @@ -186,6 +186,32 @@ public function form(array $form, FormStateInterface $formState): array {
'#description' => $this->t('Whether caching of queries and partial results is enabled.'),
];

$form['validation'] = [
'#title' => $this->t('Validation rules'),
'#type' => 'fieldset',
];

$form['validation']['disable_introspection'] = [
'#title' => $this->t('Disable introspection'),
'#type' => 'checkbox',
'#default_value' => $server->getDisableIntrospection(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm, should we use the new methods here? they might not exist if somebody has swapped out the entity class and does not inherit them. Maybe an edge case and we don't care, but I think we should use $server->get() to be on the safe side.

'#description' => $this->t('Security rule: Whether introspection should be disabled.'),
];

$form['validation']['query_depth'] = [
'#title' => $this->t('Max query depth'),
'#type' => 'number',
'#default_value' => $server->getQueryDepth(),
'#description' => $this->t('Security rule: The maximum allowed depth of nested queries. Leave empty to set unlimited.'),
];

$form['validation']['query_complexity'] = [
'#title' => $this->t('Max query complexity'),
'#default_value' => $server->getQueryComplexity(),
'#type' => 'number',
'#description' => $this->t('Security rule: The maximum allowed complexity of a query. Leave empty to set unlimited.'),
];

$debug_flags = $server->get('debug_flag') ?? 0;
$form['debug_flag'] = [
'#title' => $this->t('Debug settings'),
Expand Down