overblog · mcg-web · Aug 6, 2018 · Aug 4, 2018 · Aug 6, 2018 · ghost
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -2,6 +2,7 @@
 
 namespace Overblog\GraphQLBundle\DependencyInjection;
 
+use GraphQL\Validator\Rules\DisableIntrospection;
 use GraphQL\Validator\Rules\QueryComplexity;
 use GraphQL\Validator\Rules\QueryDepth;
 use Overblog\GraphQLBundle\Error\ErrorHandler;
@@ -166,6 +167,7 @@ private function securitySection()
             ->children()
                 ->append($this->securityQuerySection('query_max_depth', QueryDepth::DISABLED))
                 ->append($this->securityQuerySection('query_max_complexity', QueryComplexity::DISABLED))
+                ->append($this->securityQuerySection('disable_introspection', DisableIntrospection::DISABLED))
                 ->booleanNode('handle_cors')->defaultFalse()->end()
             ->end()
         ->end();

diff --git a/DependencyInjection/OverblogGraphQLExtension.php b/DependencyInjection/OverblogGraphQLExtension.php
@@ -162,6 +162,11 @@ private function treatConfigs(array $configs, ContainerBuilder $container, $forc
 
     private function setSecurity(array $config, ContainerBuilder $container)
     {
+        if (!empty($config['security']['disable_introspection'])) {
+            $executorDefinition = $container->getDefinition($this->getAlias().'.request_executor');
+            $executorDefinition->addMethodCall('disableIntrospectionQuery');
+        }
+
         foreach ($config['security'] as $key => $value) {
             $container->setParameter(sprintf('%s.%s', $this->getAlias(), $key), $value);
         }

diff --git a/Request/Executor.php b/Request/Executor.php
@@ -7,6 +7,7 @@
 use GraphQL\Executor\Promise\PromiseAdapter;
 use GraphQL\Type\Schema;
 use GraphQL\Validator\DocumentValidator;
+use GraphQL\Validator\Rules\DisableIntrospection;
 use GraphQL\Validator\Rules\QueryComplexity;
 use GraphQL\Validator\Rules\QueryDepth;
 use Overblog\GraphQLBundle\Event\Events;
@@ -113,6 +114,11 @@ public function setMaxQueryComplexity($maxQueryComplexity)
         $queryComplexity->setMaxQueryComplexity($maxQueryComplexity);
     }
 
+    public function disableIntrospectionQuery()
+    {
+        DocumentValidator::addRule(new DisableIntrospection());
+    }
+
     /**
      * @param null|string                    $schemaName
      * @param array                          $request

diff --git a/Resources/doc/security/disable_introspection.md b/Resources/doc/security/disable_introspection.md
@@ -0,0 +1,19 @@
+Disable introspection
+=====================
+
+This bundle supports [webonyx/graphql-php validation rule to disable introspection queries](webonyx/graphql-php).
+
+Introspection is a mechanism for fetching schema structure. It is used by tools like GraphiQL for auto-completion, query validation, etc.
+
+It means that anybody can get a full description of your schema by sending a special query containing meta fields __type and __schema.
+
+If you are not planning to expose your API to the general public, it makes sense to disable this feature in production. By disabling, tools like GraphiQL won't work anymore.
+
+```yaml
+#app/config/config.yml
+overblog_graphql:
+    security:
+        disable_introspection: '%kernel.debug%'
+```
+
+Introspection is enabled by default.
diff --git a/Resources/doc/security/index.md b/Resources/doc/security/index.md
@@ -6,5 +6,6 @@ Security
 * [Fields public control](fields-public-control.md)
 * [Limiting query depth](limiting-query-depth.md)
 * [Query complexity analysis](query-complexity-analysis.md)
+* [Disable introspection](disable_introspection.md)
 
 Next step [handling errors](../error-handling/index.md)
diff --git a/Tests/Functional/App/config/disableIntrospection/config.yml b/Tests/Functional/App/config/disableIntrospection/config.yml
@@ -0,0 +1,17 @@
+imports:
+    - { resource: ../config.yml }
+    - { resource: ../connection/services.yml }
+
+overblog_graphql:
+    security:
+        disable_introspection: true
+    definitions:
+        class_namespace: "Overblog\\GraphQLBundle\\QueryComplexity\\__DEFINITIONS__"
+        schema:
+            query: Query
+            mutation: ~
+        mappings:
+            types:
+                -
+                    type: yaml
+                    dir: "%kernel.root_dir%/config/queryComplexity/mapping"
diff --git a/Tests/Functional/Security/DisableIntrospectionTest.php b/Tests/Functional/Security/DisableIntrospectionTest.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace Overblog\GraphQLBundle\Tests\Functional\Security;
+
+use Overblog\GraphQLBundle\Tests\Functional\TestCase;
+
+class DisableIntrospectionTest extends TestCase
+{
+    private $introspectionQuery = <<<'EOF'
+query {
+  __schema {
+    types {
+      name
+      description
+    }
+  }
+}
+EOF;
+
+    public function testIntrospectionDisabled()
+    {
+        $expected = [
+            'errors' => [
+                [
+                    'message' => 'GraphQL introspection is not allowed, but the query contained __schema or __type',
+                    'category' => 'graphql',
+                    'locations' => [
+                        [
+                            'line' => 2,
+                            'column' => 3,
+                        ],
+                    ],
+                ],
+            ],
+        ];
+
+        $this->assertResponse($this->introspectionQuery, $expected, self::ANONYMOUS_USER, 'disableIntrospection');
+    }
+}