Protection of sensitive technical information in the API
import express from 'express';
import { graphqlHTTP } from 'express-graphql';
import { buildSchema } from 'graphql';
const schema = buildSchema(`
type Query {
hello: String
}
`);
const root = {
hello: () => 'Hello, world!',
};
const app = express();
app.use(
'/graphql',
graphqlHTTP({
schema: schema,
rootValue: root,
graphiql: true,
})
);
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is that it allows introspection queries, which can leak sensitive information about the GraphQL API schema structure. Introspection queries allow clients to query the schema itself to retrieve information about the available types, fields, and relationships.
In this code, the
graphqlHTTP middleware from the
express-graphql library is used to handle GraphQL requests. The
graphiql option is set to
true, enabling the GraphiQL interface, which allows users to explore and test the API.
By default, the GraphiQL interface includes an "Explorer" pane that allows users to browse the API schema and execute introspection queries. This means that an attacker can easily retrieve the entire GraphQL API schema structure, including all queries and mutations.
This information can be valuable to an attacker as it provides insights into the API's functionality and can help them identify potential attack vectors. For example, knowing the available mutations and their arguments can allow an attacker to craft malicious requests to modify or delete data.
To mitigate this vulnerability, the code should disable introspection queries. This can be done by setting the
introspection option of the
graphqlHTTP middleware to
false.
import express from 'express';
import { graphqlHTTP } from 'express-graphql';
import { buildSchema } from 'graphql';
const schema = buildSchema(`
type Query {
hello: String
}
`);
const root = {
hello: () => 'Hello, world!',
};
const app = express();
app.use(
'/graphql',
graphqlHTTP({
schema: schema,
rootValue: root,
introspection: false,
})
);
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by disabling introspection queries in the GraphQL API.
The code starts by importing the necessary modules:
express,
express-graphql, and
graphql.
Next, a GraphQL schema is built using the
buildSchema function from the
graphql module. In this example, the schema defines a single query type with a
hello field that returns a string.
A root resolver object is created with a single method
hello that returns the string "Hello, world!".
An Express application is created using
express().
The application uses the
graphqlHTTP middleware from
express-graphql to handle GraphQL requests. The middleware is configured with the created schema, root resolver, and the
introspection option set to
false. This disables introspection queries, preventing the attacker from gathering the entire GraphQL API schema structure.
The middleware is mounted on the
/graphql endpoint using
app.use().
Finally, the application listens on port 3000, and a message is logged to the console indicating that the server is running.
By disabling introspection queries, the fixed code prevents the attacker from gaining knowledge of the schema structure, reducing the risk of more dangerous attacks.