Merge #2348

2348: add middleware to disable introspection query r=tiftran a=tiftran used https://docs.graphene-python.org/en/v2.1.8/execution/middleware/ as reference Co-authored-by: Tif Tran <ttran@mozilla.com>
2023-06-19 18:33:14 +00:00 · 2023-06-19 18:33:14 +00:00 · 5437bc3985
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -38,7 +38,7 @@ jobs:
          command: pip install -U poetry
      - run:
          name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
      - restore_cache:
          keys:
            - v2-dependencies-{{ checksum "yarn.lock" }}
@ -145,7 +145,7 @@ jobs:
            echo "source ~/venv/bin/activate" >> $BASH_ENV
      - run:
          name: Install requirements
-          command: poetry install --extras docs --no-interaction --verbose
+          command: poetry install --extras docs --no-interaction --verbose --no-ansi
      - run:
          name: Build docs
          command: |
@ -209,7 +209,7 @@ jobs:
            echo "source ~/venv/bin/activate" >> $BASH_ENV
      - run:
          name: Install python dependencies
-          command: poetry install --no-dev --no-interaction --verbose
+          command: poetry install --no-dev --no-interaction --verbose --no-ansi
      - run:
          name: Install node dependencies
          command: yarn install --frozen-lockfile
--- a/normandy/schema.py
+++ b/normandy/schema.py
@ -9,4 +9,25 @@ class NormandyQuery(BaseQuery, RecipesQuery, StudiesQuery, graphene.ObjectType):
    pass


+class DisableIntrospectionMiddleware:
+    """
+    This class hides the introspection. As it is best practice to not allow introspection queries
+    in production. ref: https://docs.graphene-python.org/en/latest/execution/queryvalidation/#disable-introspection
+    """
+
+    def resolve(self, next, root, info, **kwargs):
+        # introspection fields taken from https://graphql.org/learn/introspection/
+        if info.field_name.lower() in [
+            "__Schema",
+            "__Type",
+            "__TypeKind",
+            "__Field",
+            "__InputValue",
+            "__EnumValue",
+            "__Directive",
+        ]:
+            return None
+        return next(root, info, **kwargs)
+
+
 schema = graphene.Schema(query=NormandyQuery)
--- a/normandy/settings.py
+++ b/normandy/settings.py
@ -102,7 +102,12 @@ class Core(Configuration):
        "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.NamespaceVersioning",
    }

-    GRAPHENE = {"SCHEMA": "normandy.schema.schema"}
+    GRAPHENE = {
+        "SCHEMA": "normandy.schema.schema",
+        "MIDDLEWARE": [
+            "normandy.schema.DisableIntrospectionMiddleware",
+        ],
+    }

    # Content Security Policy
    def CSP_DEFAULT_SRC(self):