feat: smart __type check

Moumouls · Moumouls · commit 20e074ad1256 · 2025-10-27T21:07:15.000+01:00
diff --git a/spec/ParseGraphQLServer.spec.js b/spec/ParseGraphQLServer.spec.js
@@ -729,10 +729,134 @@ describe('ParseGraphQLServer', () => {
             })
           expect(introspection.data).toBeDefined();
         });
+
+        it('should block __type introspection without master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query TypeIntrospection {
+                  __type(name: "User") {
+                    name
+                    kind
+                  }
+                }
+              `,
+            });
+
+            fail('should have thrown an error');
+          } catch (e) {
+            expect(e.message).toEqual('Response not successful: Received status code 403');
+            expect(e.networkError.result.errors[0].message).toEqual('Introspection is not allowed');
+          }
+        });
+
+        it('should block aliased __type introspection without master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                query AliasedTypeIntrospection {
+                  myAlias: __type(name: "User") {
+                    name
+                    kind
+                  }
+                }
+              `,
+            });
+
+            fail('should have thrown an error');
+          } catch (e) {
+            expect(e.message).toEqual('Response not successful: Received status code 403');
+            expect(e.networkError.result.errors[0].message).toEqual('Introspection is not allowed');
+          }
+        });
+
+        it('should allow __type introspection with master key', async () => {
+          const introspection = await apolloClient.query({
+            query: gql`
+              query TypeIntrospection {
+                __type(name: "User") {
+                  name
+                  kind
+                }
+              }
+            `,
+            context: {
+              headers: {
+                'X-Parse-Master-Key': 'test',
+              },
+            },
+          });
+          expect(introspection.data).toBeDefined();
+          expect(introspection.data.__type).toBeDefined();
+          expect(introspection.errors).not.toBeDefined();
+        });
+
+        it('should allow aliased __type introspection with master key', async () => {
+          const introspection = await apolloClient.query({
+            query: gql`
+              query AliasedTypeIntrospection {
+                myAlias: __type(name: "User") {
+                  name
+                  kind
+                }
+              }
+            `,
+            context: {
+              headers: {
+                'X-Parse-Master-Key': 'test',
+              },
+            },
+          });
+          expect(introspection.data).toBeDefined();
+          expect(introspection.data.myAlias).toBeDefined();
+          expect(introspection.errors).not.toBeDefined();
+        });
+
+        it('should allow __type introspection with maintenance key', async () => {
+          const introspection = await apolloClient.query({
+            query: gql`
+              query TypeIntrospection {
+                __type(name: "User") {
+                  name
+                  kind
+                }
+              }
+            `,
+            context: {
+              headers: {
+                'X-Parse-Maintenance-Key': 'test2',
+              },
+            },
+          });
+          expect(introspection.data).toBeDefined();
+          expect(introspection.data.__type).toBeDefined();
+          expect(introspection.errors).not.toBeDefined();
+        });
+
+        it('should allow __type introspection when public introspection is enabled', async () => {
+          const parseServer = await reconfigureServer();
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+
+          const introspection = await apolloClient.query({
+            query: gql`
+              query TypeIntrospection {
+                __type(name: "User") {
+                  name
+                  kind
+                }
+              }
+            `,
+          });
+          expect(introspection.data).toBeDefined();
+          expect(introspection.data.__type).toBeDefined();
+        });
       });
 
 
       describe('Default Types', () => {
+        beforeEach(async () => {
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+        });
         it('should have Object scalar type', async () => {
           const objectType = (
             await apolloClient.query({
@@ -892,6 +1016,10 @@ describe('ParseGraphQLServer', () => {
       });
 
       describe('Relay Specific Types', () => {
+        beforeEach(async () => {
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+        });
+
         let clearCache;
         beforeEach(async () => {
           if (!clearCache) {
@@ -1435,6 +1563,9 @@ describe('ParseGraphQLServer', () => {
       });
 
       describe('Parse Class Types', () => {
+        beforeEach(async () => {
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+        });
         it('should have all expected types', async () => {
           await parseServer.config.databaseController.loadSchema();
 
@@ -1546,6 +1677,7 @@ describe('ParseGraphQLServer', () => {
         beforeEach(async () => {
           await parseGraphQLServer.setGraphQLConfig({});
           await resetGraphQLCache();
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
         });
 
         it_id('d6a23a2f-ca18-4b15-bc73-3e636f99e6bc')(it)('should only include types in the enabledForClasses list', async () => {
@@ -6695,7 +6827,7 @@ describe('ParseGraphQLServer', () => {
             );
             expect(
               (await deleteObject(object4.className, object4.id)).data.delete[
-                object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
+              object4.className.charAt(0).toLowerCase() + object4.className.slice(1)
               ]
             ).toEqual({ objectId: object4.id, __typename: 'PublicClass' });
             await expectAsync(object4.fetch({ useMasterKey: true })).toBeRejectedWith(
@@ -7832,6 +7964,9 @@ describe('ParseGraphQLServer', () => {
       });
 
       describe('Functions Mutations', () => {
+        beforeEach(async () => {
+          await createGQLFromParseServer(parseServer, { graphQLPublicIntrospection: true });
+        });
         it('can be called', async () => {
           try {
             const clientMutationId = uuidv4();
@@ -11299,25 +11434,25 @@ describe('ParseGraphQLServer', () => {
           },
         });
         const SomeClassType = new GraphQLObjectType({
-            name: 'SomeClass',
-            fields: {
-              nameUpperCase: {
-                type: new GraphQLNonNull(GraphQLString),
-                resolve: p => p.name.toUpperCase(),
-              },
-              type: { type: TypeEnum },
-              language: {
-                type: new GraphQLEnumType({
-                  name: 'LanguageEnum',
-                  values: {
-                    fr: { value: 'fr' },
-                    en: { value: 'en' },
-                  },
-                }),
-                resolve: () => 'fr',
-              },
+          name: 'SomeClass',
+          fields: {
+            nameUpperCase: {
+              type: new GraphQLNonNull(GraphQLString),
+              resolve: p => p.name.toUpperCase(),
+            },
+            type: { type: TypeEnum },
+            language: {
+              type: new GraphQLEnumType({
+                name: 'LanguageEnum',
+                values: {
+                  fr: { value: 'fr' },
+                  en: { value: 'en' },
+                },
+              }),
+              resolve: () => 'fr',
             },
-          }),
+          },
+        }),
           parseGraphQLServer = new ParseGraphQLServer(parseServer, {
             graphQLPath: '/graphql',
             graphQLCustomTypeDefs: new GraphQLSchema({
diff --git a/src/GraphQL/ParseGraphQLServer.js b/src/GraphQL/ParseGraphQLServer.js
@@ -4,7 +4,7 @@ import { ApolloServer } from '@apollo/server';
 import { expressMiddleware } from '@as-integrations/express5';
 import { ApolloServerPluginCacheControlDisabled } from '@apollo/server/plugin/disabled';
 import express from 'express';
-import { execute, subscribe, GraphQLError } from 'graphql';
+import { execute, subscribe, GraphQLError, parse } from 'graphql';
 import { SubscriptionServer } from 'subscriptions-transport-ws';
 import { handleParseErrors, handleParseHeaders, handleParseSession } from '../middlewares';
 import requiredParameter from '../requiredParameter';
@@ -13,6 +13,38 @@ import { ParseGraphQLSchema } from './ParseGraphQLSchema';
 import ParseGraphQLController, { ParseGraphQLConfig } from '../Controllers/ParseGraphQLController';
 
 
+const hasTypeIntrospection = (query) => {
+  try {
+    const ast = parse(query);
+    // Check only root-level fields in the query
+    // Note: selection.name.value is the actual field name, so this correctly handles
+    // aliases like "myAlias: __type(...)" where name.value === "__type"
+    for (const definition of ast.definitions) {
+      if (definition.kind === 'OperationDefinition' && definition.selectionSet) {
+        for (const selection of definition.selectionSet.selections) {
+          if (selection.kind === 'Field' && selection.name.value === '__type') {
+            return true;
+          }
+        }
+      }
+    }
+    return false;
+  } catch (e) {
+    // If parsing fails, we assume it's not a valid query and let Apollo handle it
+    return false;
+  }
+};
+
+const throwIntrospectionError = () => {
+  throw new GraphQLError('Introspection is not allowed', {
+    extensions: {
+      http: {
+        status: 403,
+      },
+    }
+  });
+};
+
 const IntrospectionControlPlugin = (publicIntrospection) => ({
 
 
@@ -29,21 +61,20 @@ const IntrospectionControlPlugin = (publicIntrospection) => ({
         return;
       }
 
-      // Now we check if the query is an introspection query
-      // this check strategy should work in 99.99% cases
-      // we can have an issue if a user name a field or class __schemaSomething
-      // we want to avoid a full AST check
-      const isIntrospectionQuery =
-        requestContext.request.query?.includes('__schema')
-
-      if (isIntrospectionQuery) {
-        throw new GraphQLError('Introspection is not allowed', {
-          extensions: {
-            http: {
-              status: 403,
-            },
-          }
-        });
+      const query = requestContext.request.query;
+
+
+      // Fast path: simple string check for __schema
+      // This avoids parsing the query in most cases
+      if (query?.includes('__schema')) {
+        return throwIntrospectionError();
+      }
+
+      // Smart check for __type: only parse if the string is present
+      // This avoids false positives (e.g., "__type" in strings or comments)
+      // while still being efficient for the common case
+      if (query?.includes('__type') && hasTypeIntrospection(query)) {
+        return throwIntrospectionError();
       }
     },
 
