feat: Add configurable validation security rules #1244
Conversation
- Disable introspection - Query depth - Query complexity
src/Entity/ServerInterface.php
Outdated
| * @return bool | ||
| * The disable introspection config, FALSE otherwise. | ||
| */ | ||
| public function getDisableIntrospection(); |
There was a problem hiding this comment.
we should not change the interface at this point because graphql 4.0 has already been released.
Can we only do the changes on the Server class?
config/schema/graphql.schema.yml
Outdated
| type: integer | ||
| label: 'Max query depth' | ||
| query_complexity: | ||
| type: number |
There was a problem hiding this comment.
does number exist? should also be integer?
src/Entity/Server.php
Outdated
| /** | ||
| * {@inheritdoc} | ||
| */ | ||
| public function getDisableIntrospection() { |
There was a problem hiding this comment.
we should add return type hints to the helpers, bool here
src/Entity/Server.php
Outdated
| /** | ||
| * {@inheritdoc} | ||
| */ | ||
| public function setDisableIntrospection($introspection) { |
|
@klausi , implemented CRs. |
src/Entity/Server.php
Outdated
| * | ||
| * @return $this | ||
| */ | ||
| public function setQueryDepth(int $depth) { |
There was a problem hiding this comment.
type hint should be ?int so that you can disable this setting, right?
src/Entity/Server.php
Outdated
| * | ||
| * @return $this | ||
| */ | ||
| public function setQueryComplexity(int $complexity) { |
src/Entity/Server.php
Outdated
| $rules[DisableIntrospection::class] = new DisableIntrospection(); | ||
| } | ||
| if ($this->getQueryDepth()) { | ||
| $rules[QueryDepth::class] = new QueryDepth($this->query_depth); |
There was a problem hiding this comment.
ah, we forgot to add the new properties to the class and document them.
There was a problem hiding this comment.
@klausi , my bad, I forgot to use the appropriate getter. Added it in a new commit.
src/Form/ServerForm.php
Outdated
| $form['validation']['disable_introspection'] = [ | ||
| '#title' => $this->t('Disable introspection'), | ||
| '#type' => 'checkbox', | ||
| '#default_value' => $server->getDisableIntrospection(), |
There was a problem hiding this comment.
hm, should we use the new methods here? they might not exist if somebody has swapped out the entity class and does not inherit them. Maybe an edge case and we don't care, but I think we should use $server->get() to be on the safe side.
…ix server setters and fix rules logic.
| * "batching", | ||
| * "disable_introspection", | ||
| * "query_depth", | ||
| * "query_complexity" |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
Tests are failing, but does not look related to this issue. |
| public $disable_introspection = FALSE; | ||
|
|
||
| /** | ||
| * The query complexity. |
There was a problem hiding this comment.
Should be similar to the form description like "The maximum allowed query complexity, NULL means unlimited."
| public $query_complexity = NULL; | ||
|
|
||
| /** | ||
| * The query depth. |
* 8.x-4.x: fix(dataproducer): Fix language definition to be single value in entity reference producers (drupal-graphql#1241) docs(server): Improved class property descriptions feat(server): Add configurable validation security rules for introspection and query complexity (drupal-graphql#1244) tests(buffer): Fix ArryObject usage to not depend on Zend (drupal-graphql#1247) test(phpstan): Add missing return type hint fix(file-upldoad): Validate files in the correct order fix(DataProducer): Fix entity reference loading by language (drupal-graphql#1232) tests(assertions): Implement leaked metadata detection for QueryResultAssertionTrait (drupal-graphql#1207) tests(github): Switch testing to Drupal core 9.2.x (drupal-graphql#1215) chore(voyager): yarn audit security updates (drupal-graphql#1214) test(phpstan): Enable PHPStan run on PHP 8.0 (drupal-graphql#1211) refactor(executor): Replace deprecated AST::getOperation() with AST::getOperationAST() (drupal-graphql#1210) fix(executor): Remove swapped errors compatibility mode
…ction and query complexity (drupal-graphql#1244)
This is just simplified version of the #1239 according to the discussion - #1239 (comment)
Scope:
Provides new config values and getters, setters for them.
Add configurable validation security rules: