From 508e696a452592b68aaee6875f01f08f0effc00f Mon Sep 17 00:00:00 2001 From: Suejung Shin Date: Fri, 1 Nov 2024 11:35:22 -0700 Subject: [PATCH 1/2] fix: Disable GraphQL introspection in prod --- codecov/settings_base.py | 8 ++------ codecov/settings_dev.py | 2 ++ codecov/settings_staging.py | 2 ++ codecov/settings_test.py | 2 ++ graphql_api/config.py | 13 +++++++++++++ graphql_api/views.py | 3 ++- 6 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 graphql_api/config.py diff --git a/codecov/settings_base.py b/codecov/settings_base.py index 324a317021..a78abfe895 100644 --- a/codecov/settings_base.py +++ b/codecov/settings_base.py @@ -92,7 +92,6 @@ WSGI_APPLICATION = "codecov.wsgi.application" - # GraphQL GRAPHQL_QUERY_COST_THRESHOLD = get_config( @@ -105,6 +104,8 @@ GRAPHQL_RATE_LIMIT_RPM = get_config("setup", "graphql", "rate_limit_rpm", default=300) +GRAPHQL_INTROSPECTION_ENABLED = False + # Database # https://docs.djangoproject.com/en/2.1/ref/settings/#databases @@ -184,7 +185,6 @@ USE_TZ = True - # Static files (CSS, JavaScript, Images) # https://docs.djangoproject.com/en/2.1/howto/static-files/ @@ -308,7 +308,6 @@ "gitlab", "bots", "tokenless", "key", default=GITLAB_BOT_KEY ) - GITLAB_ENTERPRISE_CLIENT_ID = get_config("gitlab_enterprise", "client_id") GITLAB_ENTERPRISE_CLIENT_SECRET = get_config("gitlab_enterprise", "client_secret") GITLAB_ENTERPRISE_REDIRECT_URI = get_config( @@ -323,7 +322,6 @@ GITLAB_ENTERPRISE_URL = get_config("gitlab_enterprise", "url") GITLAB_ENTERPRISE_API_URL = get_config("gitlab_enterprise", "api_url") - CORS_ALLOW_HEADERS = ( list(default_headers) + ["token-type"] @@ -344,7 +342,6 @@ "setup", "http", "file_upload_max_memory_size", default=2621440 ) - CORS_ALLOWED_ORIGIN_REGEXES = get_config( "setup", "api_cors_allowed_origin_regexes", default=[] ) @@ -362,7 +359,6 @@ HIDE_ALL_CODECOV_TOKENS = get_config("setup", "hide_all_codecov_tokens", default=False) - SENTRY_JWT_SHARED_SECRET = get_config( "sentry", "jwt_shared_secret", default=None ) or get_config("setup", "sentry", "jwt_shared_secret", default=None) diff --git a/codecov/settings_dev.py b/codecov/settings_dev.py index e58164c69f..7b643922e5 100644 --- a/codecov/settings_dev.py +++ b/codecov/settings_dev.py @@ -55,3 +55,5 @@ # SHELTER_SHARED_SECRET = "test-supertoken" GUEST_ACCESS = True + +GRAPHQL_INTROSPECTION_ENABLED = True diff --git a/codecov/settings_staging.py b/codecov/settings_staging.py index 6fe3c7c3bd..0067b39cd8 100644 --- a/codecov/settings_staging.py +++ b/codecov/settings_staging.py @@ -75,3 +75,5 @@ CSRF_TRUSTED_ORIGINS = [ get_config("setup", "trusted_origin", default="https://*.codecov.dev") ] + +GRAPHQL_INTROSPECTION_ENABLED = True diff --git a/codecov/settings_test.py b/codecov/settings_test.py index 5d2466ec2f..beea9f879e 100644 --- a/codecov/settings_test.py +++ b/codecov/settings_test.py @@ -10,3 +10,5 @@ # Mock the Pub/Sub host for testing # this prevents the pubsub SDK from trying to load credentials os.environ["PUBSUB_EMULATOR_HOST"] = "localhost" + +GRAPHQL_INTROSPECTION_ENABLED = True diff --git a/graphql_api/config.py b/graphql_api/config.py new file mode 100644 index 0000000000..ebfb144bff --- /dev/null +++ b/graphql_api/config.py @@ -0,0 +1,13 @@ +from typing import TypedDict + +from django.conf import settings + + +# Possible options are defined here: https://ariadnegraphql.org/docs/0.4.0/django-integration#configuration-options +class AriadneDjangoConfigOptions(TypedDict): + introspection: bool + + +graphql_config: AriadneDjangoConfigOptions = { + "introspection": getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False), +} diff --git a/graphql_api/views.py b/graphql_api/views.py index 6763a29c7e..b5c6e20bba 100644 --- a/graphql_api/views.py +++ b/graphql_api/views.py @@ -27,6 +27,7 @@ from services import ServiceException from services.redis_configuration import get_redis_connection +from .config import graphql_config from .schema import schema log = logging.getLogger(__name__) @@ -378,7 +379,7 @@ def get_client_ip(self, request): return ip -BaseAriadneView = AsyncGraphqlView.as_view() +BaseAriadneView = AsyncGraphqlView.as_view(**graphql_config) async def ariadne_view(request, service): From 55229a8558663d37ae6d402f4b1730c982fbdb13 Mon Sep 17 00:00:00 2001 From: Suejung Shin Date: Fri, 1 Nov 2024 13:10:43 -0700 Subject: [PATCH 2/2] follow django patterns --- graphql_api/config.py | 13 ------------- graphql_api/views.py | 4 ++-- 2 files changed, 2 insertions(+), 15 deletions(-) delete mode 100644 graphql_api/config.py diff --git a/graphql_api/config.py b/graphql_api/config.py deleted file mode 100644 index ebfb144bff..0000000000 --- a/graphql_api/config.py +++ /dev/null @@ -1,13 +0,0 @@ -from typing import TypedDict - -from django.conf import settings - - -# Possible options are defined here: https://ariadnegraphql.org/docs/0.4.0/django-integration#configuration-options -class AriadneDjangoConfigOptions(TypedDict): - introspection: bool - - -graphql_config: AriadneDjangoConfigOptions = { - "introspection": getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False), -} diff --git a/graphql_api/views.py b/graphql_api/views.py index b5c6e20bba..cd5b85f6b8 100644 --- a/graphql_api/views.py +++ b/graphql_api/views.py @@ -27,7 +27,6 @@ from services import ServiceException from services.redis_configuration import get_redis_connection -from .config import graphql_config from .schema import schema log = logging.getLogger(__name__) @@ -189,6 +188,7 @@ def __exit__(self, exc_type, exc_value, exc_traceback): class AsyncGraphqlView(GraphQLAsyncView): schema = schema extensions = [QueryMetricsExtension] + introspection = getattr(settings, "GRAPHQL_INTROSPECTION_ENABLED", False) def get_validation_rules( self, @@ -379,7 +379,7 @@ def get_client_ip(self, request): return ip -BaseAriadneView = AsyncGraphqlView.as_view(**graphql_config) +BaseAriadneView = AsyncGraphqlView.as_view() async def ariadne_view(request, service):