fix: Disable GraphQL introspection in prod (#953)

suejung-sentry · web-flow · commit 168d5f2b8f4f · 2024-11-04T17:38:12.000Z
diff --git a/codecov/settings_base.py b/codecov/settings_base.py
@@ -92,7 +92,6 @@
 
 WSGI_APPLICATION = "codecov.wsgi.application"
 
-
 # GraphQL
 
 GRAPHQL_QUERY_COST_THRESHOLD = get_config(
@@ -105,6 +104,8 @@
 
 GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=300)
 
+GRAPHQL_INTROSPECTION_ENABLED = False
+
 # Database
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 
@@ -184,7 +185,6 @@
 
 USE_TZ = True
 
-
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
@@ -308,7 +308,6 @@
     "gitlab", "bots", "tokenless", "key", default=GITLAB_BOT_KEY
 )
 
-
 GITLAB_ENTERPRISE_CLIENT_ID = get_config("gitlab_enterprise", "client_id")
 GITLAB_ENTERPRISE_CLIENT_SECRET = get_config("gitlab_enterprise", "client_secret")
 GITLAB_ENTERPRISE_REDIRECT_URI = get_config(
@@ -323,7 +322,6 @@
 GITLAB_ENTERPRISE_URL = get_config("gitlab_enterprise", "url")
 GITLAB_ENTERPRISE_API_URL = get_config("gitlab_enterprise", "api_url")
 
-
 CORS_ALLOW_HEADERS = (
     list(default_headers)
     + ["token-type"]
@@ -344,7 +342,6 @@
     "setup", "http", "file_upload_max_memory_size", default=2621440
 )
 
-
 CORS_ALLOWED_ORIGIN_REGEXES = get_config(
     "setup", "api_cors_allowed_origin_regexes", default=[]
 )
@@ -362,7 +359,6 @@
 
 HIDE_ALL_CODECOV_TOKENS = get_config("setup", "hide_all_codecov_tokens", default=False)
 
-
 SENTRY_JWT_SHARED_SECRET = get_config(
     "sentry", "jwt_shared_secret", default=None
 ) or get_config("setup", "sentry", "jwt_shared_secret", default=None)
diff --git a/codecov/settings_dev.py b/codecov/settings_dev.py
@@ -55,3 +55,5 @@
 # SHELTER_SHARED_SECRET = "test-supertoken"
 
 GUEST_ACCESS = True
+
+GRAPHQL_INTROSPECTION_ENABLED = True
diff --git a/codecov/settings_staging.py b/codecov/settings_staging.py
@@ -75,3 +75,5 @@
 CSRF_TRUSTED_ORIGINS = [
     get_config("setup", "trusted_origin", default="https://*.codecov.dev")
 ]
+
+GRAPHQL_INTROSPECTION_ENABLED = True
diff --git a/codecov/settings_test.py b/codecov/settings_test.py
@@ -10,3 +10,5 @@
 # Mock the Pub/Sub host for testing
 # this prevents the pubsub SDK from trying to load credentials
 os.environ["PUBSUB_EMULATOR_HOST"] = "localhost"
+
+GRAPHQL_INTROSPECTION_ENABLED = True
diff --git a/graphql_api/views.py b/graphql_api/views.py
@@ -188,6 +188,7 @@ def __exit__(self, exc_type, exc_value, exc_traceback):
 class AsyncGraphqlView(GraphQLAsyncView):
     schema = schema
     extensions = [QueryMetricsExtension]
+    introspection = getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False)
 
     def get_validation_rules(
         self,

Original file line number	Diff line number	Diff line change
`@@ -75,3 +75,5 @@`
`75`	`75`	`CSRF_TRUSTED_ORIGINS = [`
`76`	`76`	`get_config("setup", "trusted_origin", default="https://*.codecov.dev")`
`77`	`77`	`]`
	`78`	`+`
	`79`	`+GRAPHQL_INTROSPECTION_ENABLED = True`