Technical Information Leak - API - Elixir

Technical Information Leak - API - Elixir

Need

Prevent exposing GraphQL API Schema Structure to unauthorized users.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Absinthe for building GraphQL APIs in Elixir

Description

Non compliant code

        defmodule MyAppWeb.Schema do
  use Absinthe.Schema

  query do
    # Queries defined here
  end

  mutation do
    # Mutations defined here
  end
end

# Endpoint configuration
defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema
end

This code is insecure because it enables introspection queries, allowing anyone to retrieve the entire GraphQL API Schema Structure. This can lead to information leakage, helping an attacker to craft more targeted attacks.

Steps

  • Disable introspection queries in the production environment.
  • Configure Absinthe to conditionally enable introspection queries based on the environment or other criteria.
  • Review your GraphQL server's configuration to ensure that no sensitive schema information is exposed.

Compliant code

        defmodule MyAppWeb.Schema do
  use Absinthe.Schema

  query do
    # Queries defined here
  end

  mutation do
    # Mutations defined here
  end
end

# Endpoint configuration
defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema, interface: Mix.env() != :prod
end

This code is secure because it disables introspection queries in the production environment. The introspection queries are only available in non-production environments, reducing the risk of information leakage.

References