Technical Information Leak - API
Need
Prevent exposing GraphQL API Schema Structure to unauthorized users.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Absinthe for building GraphQL APIs in Elixir
Description
Non compliant code
defmodule MyAppWeb.Schema do
use Absinthe.Schema
query do
# Queries defined here
end
mutation do
# Mutations defined here
end
end
# Endpoint configuration
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema
end
This code is insecure because it enables introspection queries, allowing anyone to retrieve the entire GraphQL API Schema Structure. This can lead to information leakage, helping an attacker to craft more targeted attacks.
Steps
- Disable introspection queries in the production environment.
- Configure Absinthe to conditionally enable introspection queries based on the environment or other criteria.
- Review your GraphQL server's configuration to ensure that no sensitive schema information is exposed.
Compliant code
defmodule MyAppWeb.Schema do
use Absinthe.Schema
query do
# Queries defined here
end
mutation do
# Mutations defined here
end
end
# Endpoint configuration
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema, interface: Mix.env() != :prod
end
This code is secure because it disables introspection queries in the production environment. The introspection queries are only available in non-production environments, reducing the risk of information leakage.