add disable introspection

Author: aryaniyaps

docs/execution/validators.rst

@@ -20,7 +20,7 @@ Example
 Here is how you would implement depth-limiting on your schema.
 
 .. code:: python
-    from graphene.validators import depth_limit_validator
+    from graphene.validation import depth_limit_validator
 
     # The following schema doesn't execute queries
     # which have a depth more than 20.

graphene/utils/is_introspection_key.py

@@ -0,0 +1,6 @@
+def is_introspection_key(key):
+    # from: https://spec.graphql.org/June2018/#sec-Schema
+    # > All types and directives defined within a schema must not have a name which
+    # > begins with "__" (two underscores), as this is used exclusively
+    # > by GraphQL’s introspection system.
+    return str(node.name.value).startswith("__")

graphene/validation/__init__.py

@@ -0,0 +1,8 @@
+from .depth_limit import depth_limit_validator
+from .disable_introspection import disable_introspection
+
+
+__all__ = [
+    "depth_limit_validator",
+    "disable_introspection"
+]

graphene/validators/depth_limit_validator.py renamed to graphene/validation/depth_limit.py

@@ -29,6 +29,7 @@
 from typing import Callable, Dict, List, Optional, Union
 
 from graphql import GraphQLError
+from graphql.validation import ValidationContext, ValidationRule
 from graphql.language import (
     DefinitionNode,
     FieldNode,
@@ -38,7 +39,8 @@
     Node,
     OperationDefinitionNode,
 )
-from graphql.validation import ValidationContext, ValidationRule
+
+from ..utils.is_introspection_key import is_introspection_key
 
 
 IgnoreType = Union[Callable[[str], bool], re.Pattern, str]
@@ -121,11 +123,7 @@ def determine_depth(
         return depth_so_far
 
     if isinstance(node, FieldNode):
-        # from: https://spec.graphql.org/June2018/#sec-Schema
-        # > All types and directives defined within a schema must not have a name which
-        # > begins with "__" (two underscores), as this is used exclusively
-        # > by GraphQL’s introspection system.
-        should_ignore = str(node.name.value).startswith("__") or is_ignored(
+        should_ignore = is_introspection_key(node.name.value) or is_ignored(
             node, ignore
         )
 

graphene/validation/disable_introspection.py

@@ -0,0 +1,22 @@
+from graphql import GraphQLError
+from graphql.language import FieldNode
+from graphql.validation import ValidationRule
+
+from ..utils.is_introspection_key import is_introspection_key
+
+
+def disable_introspection():
+    class DisableIntrospection(ValidationRule):
+        def enter_field(self, node: FieldNode, *_args):
+            field_name = node.name.value
+            if not is_introspection_key(field_name):
+                return
+
+            self.report_error(
+                GraphQLError(
+                    f"Cannot query '{field_name}': introspection is disabled.",
+                    node,
+                )
+            )
+
+    return DisableIntrospection

graphene/validators/tests/__init__.py renamed to graphene/validation/tests/__init__.py

@@ -0,0 +1,33 @@
+from graphql import parse, validate
+
+from ...types import Schema, ObjectType, String
+from ..disable_introspection import disable_introspection
+
+
+class Query(ObjectType):
+    name = String(
+        required=True
+    )
+
+
+schema = Schema(query=Query)
+
+
+def run_query(query: str):
+    document = parse(query)
+
+    result = None
+
+    def callback(query_depths):
+        nonlocal result
+        result = query_depths
+
+    errors = validate(
+        schema.graphql_schema,
+        document,
+        rules=(
+            disable_introspection(),
+        ),
+    )
+
+    return errors, result