feat: Add configurable validation rules #1239
Conversation
There was a problem hiding this comment.
Great work, thank you! I have a couple of questions to improve the approach, but in general the new settings on the server entity make sense.
Not sure if we need the validation token - we could check voyager/explorer permissions of the current user instead to skip validators there.
We should also add a test case if that is possible in a way in our current kernel tests.
| } | ||
|
|
||
| // Only bypass validation for these two routes. | ||
| if ($route === 'graphql.explorer' || $route === 'graphql.voyager') { |
There was a problem hiding this comment.
I think this will not work - the requests performed by explorer and voyager are sent against the normal graphql endpoint, if I understand the code correctly. So you would issue a redirect for the admin UI?
There was a problem hiding this comment.
We could also do this redirect directly in the VoyagerController and ExplorerController, then we don't need an extra event listener for our own controllers that we can change anyway.
| use Symfony\Component\HttpKernel\KernelEvents; | ||
| use Symfony\Component\EventDispatcher\EventSubscriberInterface; | ||
|
|
||
| class ExplorerEventSubscriber implements EventSubscriberInterface { |
There was a problem hiding this comment.
not a big fan that we need our own event subscriber on every single request. Just to do redirects for voyager and explorer admin pages?
| $form['validation']['disable_introspection'] = [ | ||
| '#title' => $this->t('Disable introspection'), | ||
| '#type' => 'checkbox', | ||
| '#default_value' => !!$server->get('disable_introspection'), |
There was a problem hiding this comment.
Default value if not configured should be TRUE, for security reasons we should have it disabled by default.
| '#title' => $this->t('Disable introspection'), | ||
| '#type' => 'checkbox', | ||
| '#default_value' => !!$server->get('disable_introspection'), | ||
| '#description' => $this->t('Whether introspection should be disabled.'), |
There was a problem hiding this comment.
We should mention security here: "GraphQL schema introspection should be disabled on production sites for security reasons. That way the whole schema is not exposed to the public."
There was a problem hiding this comment.
While I agree with the general sentiment I do think this falls in the "security through obscurity" part of the security spectrum. Introspection can provide important information to GraphQL tooling and there are legitimate use-cases to keep introspection enabled in production. For example when building an API for third-party developers.
Perhaps we can find wording that isn't as black and white?
There was a problem hiding this comment.
Right, there is nuance here. GraphQL introspection is flagged as vulnerability in security audits though, and Drupal tries to be secure by default. You are right that it is no direct vulnerability. I'm open for a better wording, but we should definitely mention the word security in the description and that this should be turned on for a normal GraphQL fronntend API.
There was a problem hiding this comment.
Yep that's absolutely fine :D
| $form['validation']['depth'] = [ | ||
| '#title' => $this->t('Max query depth'), | ||
| '#type' => 'number', | ||
| '#default_value' => $server->get('depth'), |
There was a problem hiding this comment.
We should have a good default value here to prevent arbitrary deep queries. I would suggest 5, does that make sense?
There was a problem hiding this comment.
I would plead to keep the default behaviour of the library in case nothing is configured (which is to disable this rule). Any arbitrarily number chosen is going to be too large for some use-cases and too small for others.
| '#title' => $this->t('Max query depth'), | ||
| '#type' => 'number', | ||
| '#default_value' => $server->get('depth'), | ||
| '#description' => $this->t('The maximum allowed depth of nested queries. Leave empty to set unlimited.'), |
There was a problem hiding this comment.
"The maximum allowed depth of nested queries. Leave empty to set unlimited, but for security reasons it is recommended to specify a limit like 5."
| type: boolean | ||
| label: 'Disable Introspection' | ||
| depth: | ||
| type: number |
There was a problem hiding this comment.
does number exist? I think this should be integer?
| '#title' => $this->t('Max query complexity'), | ||
| '#default_value' => $server->get('complexity'), | ||
| '#type' => 'number', | ||
| '#description' => $this->t('The maximum allowed complexity of a query. Leave empty to set unlimited.'), |
There was a problem hiding this comment.
Same here - what is a good default value for complexity limits? The docs at https://webonyx.github.io/graphql-php/executing-queries/ use 100 as example.
Unfortunately https://github.com/webonyx/graphql-php/blob/master/src/Validator/Rules/QueryComplexity.php has no docs at all, I assume this counts all the fields that you are requesting in 1 query? Then I think we can use 100 here as default.
This is also a security setting to prevent denial of service attacks where an attacker would slow down the server by requesting lots of fields. This should also be mitigated by the PHP memory limit and execution time, but still makes sense to also limit more strictly here on the GraphQL API level.
There was a problem hiding this comment.
Query complexity is slightly more complicated. The default is to count every field as a complexity of one. However, the GraphQL library is elaborate enough that this can be changed by library users on a field level. (💡 an interesting spin-off feature could be to allow data producers to indicate their relative complexity to make this more useful)
So a single field may have a complexity of 1 or 1000 depending on the implementer. Thus complexity of a query depends entirely on what fields are queried (a query with 2 fields can have a higher complexity score than with 20).
Here too I ask that the default follows the default of the library and disables this check. There's a lot of factors that go into determining what a sensible limit is here.
There was a problem hiding this comment.
Hm, I don't think many people change the complexity of a field in the library.
But yes, this setting is probably better turned off by default. The server has a PHP memory limit and timeout anyway that should catch DoS attacks on the complexity level.
| '#description' => $this->t('The maximum allowed complexity of a query. Leave empty to set unlimited.'), | ||
| ]; | ||
|
|
||
| $form['validation']['bypass_validation_token'] = [ |
There was a problem hiding this comment.
Instead of using a token - could we bypass validators if the current user has the permission "administer graphql configuration" or "bypass graphql access"? That way explorer and voyager would still work for a logged in administrator with that permission.
There was a problem hiding this comment.
A permission is good idea! But, I think we do need a way to bypass the restrictions when doing an API request. For example, when a codegen script has to generate the schema to use in a decoupled front-end.
There was a problem hiding this comment.
Not sure that codegen scripts should pull a graphql schema from a production site. But yes, maybe it makes sense to support this, the token should be good enough as protection.
There was a problem hiding this comment.
We have this too in our decoupled set-up since the GraphQL schema depends on what modules are enabled on the platform. So this is not something we know before the site is in production.
|
While I realise this is also not possible currently, I would request that this PR at least leaves room to change these metrics on a per request basis, rather than on the GraphQL server level. i.e. some way to ignore this configuration through the UI entirely. The use-case is a GraphQL server that has different types of clients. Different clients may need different limits on what their requests may be. For example an unauthenticated client may only request simple (low complexity) queries at a low rate limit with a shallow depth. However, a client with private key authentication may have no complexity or depth limit (since it's a trusted internal client). We expect to have this use-case of different restrictions for different clients within the next 6 months at Open Social. |
|
We could implement an event in the Server code that is invoked. Then an event consumer can disable/change validators on a request basis, for example in a custom opensocial module. Maybe let's not overengineer this first part yet and just add the options to the Server configuration. The event or the custom validation token can then be follow-ups to improve from there. |
| * "disable_introspection", | ||
| * "depth", | ||
| * "complexity", | ||
| * "bypass_validation_token" |
There was a problem hiding this comment.
we should also add the class properties on Server like we have with the other settings.
|
OK, let's keep it simple to move forward in a first step here:
@perrydrums do you have time to work on this and simplify? Otherwise I would task @akhomy-jq to take this over. |
|
#1244 has been merged, yay! Will leave this PR open for now with the ideas here for further improvements. |
I noticed there isn't a way to set validation rules like disabling introspection or query depth and complexity. Setting these rules can improve the security of your GraphQL endpoint, so I think it's a welcome addition. I've added the rules config to the Server settings form.
I've also added a way of bypassing the rules by using a simple query parameter which can also be set in the Server settings. Bypassing the rules can be useful for codegen scripts or just when developing.
The event subscriber I added is just there to add the bypass query parameter to the URL of the explorer and voyager pages, but I think this can be done better and cleaner.