fix: block fragment with introspection

Author: Moumouls

spec/ParseGraphQLServer.spec.js

@@ -770,6 +770,30 @@ describe('ParseGraphQLServer', () => {
           }
         });
 
+        it('should block __type introspection in fragments without master key', async () => {
+          try {
+            await apolloClient.query({
+              query: gql`
+                fragment TypeIntrospectionFields on Query {
+                  typeInfo: __type(name: "User") {
+                    name
+                    kind
+                  }
+                }
+                
+                query FragmentTypeIntrospection {
+                  ...TypeIntrospectionFields
+                }
+              `,
+            });
+
+            fail('should have thrown an error');
+          } catch (e) {
+            expect(e.message).toEqual('Response not successful: Received status code 403');
+            expect(e.networkError.result.errors[0].message).toEqual('Introspection is not allowed');
+          }
+        });
+
         it('should allow __type introspection with master key', async () => {
           const introspection = await apolloClient.query({
             query: gql`

src/GraphQL/ParseGraphQLServer.js

@@ -20,7 +20,7 @@ const hasTypeIntrospection = (query) => {
     // Note: selection.name.value is the actual field name, so this correctly handles
     // aliases like "myAlias: __type(...)" where name.value === "__type"
     for (const definition of ast.definitions) {
-      if (definition.kind === 'OperationDefinition' && definition.selectionSet) {
+      if ((definition.kind === 'OperationDefinition' || definition.kind === 'FragmentDefinition') && definition.selectionSet) {
         for (const selection of definition.selectionSet.selections) {
           if (selection.kind === 'Field' && selection.name.value === '__type') {
             // GraphQL's introspection __type field requires a 'name' argument