Add NoSchemaIntrospectionCustomRule

Cito · Cito · commit bde4ae1c4b62 · 2021-02-06T21:54:09.000+01:00
Replicates graphql/graphql-js@00077f1
diff --git a/src/graphql/__init__.py b/src/graphql/__init__.py
@@ -320,6 +320,8 @@
     UniqueFieldDefinitionNamesRule,
     UniqueDirectiveNamesRule,
     PossibleTypeExtensionsRule,
+    # Custom validation rules
+    NoSchemaIntrospectionCustomRule,
 )
 
 # Create, format, and print GraphQL errors.
@@ -654,6 +656,7 @@
     "UniqueFieldDefinitionNamesRule",
     "UniqueDirectiveNamesRule",
     "PossibleTypeExtensionsRule",
+    "NoSchemaIntrospectionCustomRule",
     "GraphQLError",
     "GraphQLSyntaxError",
     "located_error",
diff --git a/src/graphql/validation/__init__.py b/src/graphql/validation/__init__.py
@@ -104,6 +104,9 @@
 from .rules.unique_directive_names import UniqueDirectiveNamesRule
 from .rules.possible_type_extensions import PossibleTypeExtensionsRule
 
+# Optional rules not defined by the GraphQL Specification
+from .rules.custom.no_schema_introspection import NoSchemaIntrospectionCustomRule
+
 __all__ = [
     "validate",
     "ASTValidationContext",
@@ -146,4 +149,5 @@
     "UniqueFieldDefinitionNamesRule",
     "UniqueDirectiveNamesRule",
     "PossibleTypeExtensionsRule",
+    "NoSchemaIntrospectionCustomRule",
 ]
diff --git a/src/graphql/validation/rules/custom/__init__.py b/src/graphql/validation/rules/custom/__init__.py
@@ -0,0 +1 @@
+"""graphql.validation.rules.custom package"""
diff --git a/src/graphql/validation/rules/custom/no_schema_introspection.py b/src/graphql/validation/rules/custom/no_schema_introspection.py
@@ -0,0 +1,31 @@
+from typing import Any
+
+from ....error import GraphQLError
+from ....language import FieldNode
+from ....type import get_named_type, is_introspection_type
+from .. import ValidationRule
+
+__all__ = ["NoSchemaIntrospectionCustomRule"]
+
+
+class NoSchemaIntrospectionCustomRule(ValidationRule):
+    """Prohibit introspection queries
+
+    A GraphQL document is only valid if all fields selected are not fields that
+    return an introspection type.
+
+    Note: This rule is optional and is not part of the Validation section of the
+    GraphQL Specification. This rule effectively disables introspection, which
+    does not reflect best practices and should only be done if absolutely necessary.
+    """
+
+    def enter_field(self, node: FieldNode, *_args: Any) -> None:
+        type_ = get_named_type(self.context.get_type())
+        if type_ and is_introspection_type(type_):
+            self.report_error(
+                GraphQLError(
+                    "GraphQL introspection has been disabled, but the requested query"
+                    f" contained the field '{node.name.value}'.",
+                    node,
+                )
+            )
diff --git a/tests/validation/test_no_schema_introspection.py b/tests/validation/test_no_schema_introspection.py
@@ -0,0 +1,145 @@
+from functools import partial
+
+from graphql.utilities import build_schema
+from graphql.validation import NoSchemaIntrospectionCustomRule
+
+from .harness import assert_validation_errors
+
+schema = build_schema(
+    """
+    type Query {
+      someQuery: SomeType
+    }
+
+    type SomeType {
+      someField: String
+      introspectionField: __EnumValue
+    }
+    """
+)
+
+assert_errors = partial(
+    assert_validation_errors, NoSchemaIntrospectionCustomRule, schema=schema
+)
+
+assert_valid = partial(assert_errors, errors=[])
+
+
+def describe_validate_prohibit_introspection_queries():
+    def ignores_valid_fields_including_typename():
+        assert_valid(
+            """
+            {
+              someQuery {
+                __typename
+                someField
+              }
+            }
+            """
+        )
+
+    def ignores_fields_not_in_the_schema():
+        assert_valid(
+            """
+            {
+              __introspect
+            }
+            """
+        )
+
+    def reports_error_when_a_field_with_an_introspection_type_is_requested():
+        assert_errors(
+            """
+            {
+              __schema {
+                queryType {
+                  name
+                }
+              }
+            }
+            """,
+            [
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field '__schema'.",
+                    "locations": [(3, 15)],
+                },
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field 'queryType'.",
+                    "locations": [(4, 17)],
+                },
+            ],
+        )
+
+    def reports_error_when_a_field_with_introspection_type_is_requested_and_aliased():
+        assert_errors(
+            """
+            {
+              s: __schema {
+                queryType {
+                  name
+                }
+              }
+            }
+            """,
+            [
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field '__schema'.",
+                    "locations": [(3, 15)],
+                },
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field 'queryType'.",
+                    "locations": [(4, 17)],
+                },
+            ],
+        )
+
+    def reports_error_when_using_a_fragment_with_a_field_with_an_introspection_type():
+        assert_errors(
+            """
+            {
+              ...QueryFragment
+            }
+
+            fragment QueryFragment on Query {
+              __schema {
+                queryType {
+                  name
+                }
+              }
+            }
+            """,
+            [
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field '__schema'.",
+                    "locations": [(7, 15)],
+                },
+                {
+                    "message": "GraphQL introspection has been disabled,"
+                    " but the requested query contained the field 'queryType'.",
+                    "locations": [(8, 17)],
+                },
+            ],
+        )
+
+    def reports_error_for_non_standard_introspection_fields():
+        assert_errors(
+            """
+            {
+              someQuery {
+                introspectionField
+              }
+            }
+            """,
+            [
+                {
+                    "message": "GraphQL introspection has been disabled, but"
+                    " the requested query contained the field 'introspectionField'.",
+                    "locations": [(4, 17)],
+                },
+            ],
+        )

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+"""graphql.validation.rules.custom package"""`