With the compliance we need to remove introspection queries in production for AppSync endpoints. What is the best way to disable introspection queries with AppSync?
I don't see any settings with AppSync.
If you are using graphql-spring-boot, according to the graphql-java-tools README, you can disable the introspection query by setting the graphql. tools. introspection-enabled property to false in your application.
What is it? GraphQL introspection enables you to query a GraphQL server for information about the underlying schema. This includes data like types, fields, queries, mutations, and even the field-level descriptions.
Thing to understand here is that GraphQL like any other REST API is vulnerable to many attacks the same attacks the REST API might be prone to. I'll list some of them below but the most interesting thing and the reason of making this entire post is the infamous Introspection query bug.
AWS AppSync is a serverless GraphQL and Pub/Sub API service that simplifies building modern web and mobile applications. AWS AppSync GraphQL APIs simplify application development by providing a single endpoint to securely query or update data from multiple databases, microservices, and APIs.
I used AWS WAF with a rule that blocks any query containing the string __schema
, that I then associated with my AppSync endpoint -- which uses OpenID for authentication (re this page: https://docs.aws.amazon.com/appsync/latest/devguide/WAF-Integration.html)
The rule if you want to just copy and paste into the console:
{
"Name": "BodyRule",
"Priority": 5,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BodyRule"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "__schema",
"TextTransformations": [
{
"Type": "LOWERCASE",
"Priority": 0
}
]
}
}
}
And the CloudFormation definitions:
AppSyncIntrospectionWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: BlockIntrospectionWebACL
DefaultAction:
Allow: {}
Description: Block GraphQL introspection queries
Scope: REGIONAL
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BlockIntrospectionMetric
Rules:
- Name: BlockIntrospectionQueries
Priority: 0
Action:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BlockedIntrospection
Statement:
ByteMatchStatement:
FieldToMatch:
Body: {}
PositionalConstraint: CONTAINS
SearchString: __schema
TextTransformations:
- Type: LOWERCASE
Priority: 0
AppSyncIntrospectionWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: !GetAtt AppSyncAPI.Arn
WebACLArn: !GetAtt AppSyncIntrospectionWebACL.Arn
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With