fix: Disable GraphQL introspection in prod

Author: suejung-sentry

codecov/settings_base.py

@@ -92,7 +92,6 @@
 
 WSGI_APPLICATION = "codecov.wsgi.application"
 
-
 # GraphQL
 
 GRAPHQL_QUERY_COST_THRESHOLD = get_config(
@@ -105,6 +104,8 @@
 
 GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=300)
 
+GRAPHQL_INTROSPECTION_ENABLED = False
+
 # Database
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 
@@ -184,7 +185,6 @@
 
 USE_TZ = True
 
-
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
@@ -308,7 +308,6 @@
     "gitlab", "bots", "tokenless", "key", default=GITLAB_BOT_KEY
 )
 
-
 GITLAB_ENTERPRISE_CLIENT_ID = get_config("gitlab_enterprise", "client_id")
 GITLAB_ENTERPRISE_CLIENT_SECRET = get_config("gitlab_enterprise", "client_secret")
 GITLAB_ENTERPRISE_REDIRECT_URI = get_config(
@@ -323,7 +322,6 @@
 GITLAB_ENTERPRISE_URL = get_config("gitlab_enterprise", "url")
 GITLAB_ENTERPRISE_API_URL = get_config("gitlab_enterprise", "api_url")
 
-
 CORS_ALLOW_HEADERS = (
     list(default_headers)
     + ["token-type"]
@@ -344,7 +342,6 @@
     "setup", "http", "file_upload_max_memory_size", default=2621440
 )
 
-
 CORS_ALLOWED_ORIGIN_REGEXES = get_config(
     "setup", "api_cors_allowed_origin_regexes", default=[]
 )
@@ -362,7 +359,6 @@
 
 HIDE_ALL_CODECOV_TOKENS = get_config("setup", "hide_all_codecov_tokens", default=False)
 
-
 SENTRY_JWT_SHARED_SECRET = get_config(
     "sentry", "jwt_shared_secret", default=None
 ) or get_config("setup", "sentry", "jwt_shared_secret", default=None)

codecov/settings_dev.py

@@ -55,3 +55,5 @@
 # SHELTER_SHARED_SECRET = "test-supertoken"
 
 GUEST_ACCESS = True
+
+GRAPHQL_INTROSPECTION_ENABLED = True

codecov/settings_staging.py

@@ -75,3 +75,5 @@
 CSRF_TRUSTED_ORIGINS = [
     get_config("setup", "trusted_origin", default="https://*.codecov.dev")
 ]
+
+GRAPHQL_INTROSPECTION_ENABLED = True

codecov/settings_test.py

@@ -10,3 +10,5 @@
 # Mock the Pub/Sub host for testing
 # this prevents the pubsub SDK from trying to load credentials
 os.environ["PUBSUB_EMULATOR_HOST"] = "localhost"
+
+GRAPHQL_INTROSPECTION_ENABLED = True

graphql_api/config.py

@@ -0,0 +1,13 @@
+from typing import TypedDict
+
+from django.conf import settings
+
+
+# Possible options are defined here: https://ariadnegraphql.org/docs/0.4.0/django-integration#configuration-options
+class AriadneDjangoConfigOptions(TypedDict):
+    introspection: bool
+
+
+graphql_config: AriadneDjangoConfigOptions = {
+    "introspection": getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False),
+}

graphql_api/views.py

@@ -27,6 +27,7 @@
 from services import ServiceException
 from services.redis_configuration import get_redis_connection
 
+from .config import graphql_config
 from .schema import schema
 
 log = logging.getLogger(__name__)
@@ -378,7 +379,7 @@ def get_client_ip(self, request):
         return ip
 
 
-BaseAriadneView = AsyncGraphqlView.as_view()
+BaseAriadneView = AsyncGraphqlView.as_view(**graphql_config)
 
 
 async def ariadne_view(request, service):