Technical Information Leak - API - Elixir

Need

Prevent exposing GraphQL API Schema Structure to unauthorized users.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Absinthe for building GraphQL APIs in Elixir

Description

Insecure Code Example

defmodule MyAppWeb.Schema do
  use Absinthe.Schema

  query do
    # Queries defined here
  end

  mutation do
    # Mutations defined here
  end
end

# Endpoint configuration
defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema
end

This code is insecure because it enables introspection queries, allowing anyone to retrieve the entire GraphQL API Schema Structure. This can lead to information leakage, helping an attacker to craft more targeted attacks.

Steps

Disable introspection queries in the production environment.
Configure Absinthe to conditionally enable introspection queries based on the environment or other criteria.
Review your GraphQL server's configuration to ensure that no sensitive schema information is exposed.

Secure Code Example

defmodule MyAppWeb.Schema do
  use Absinthe.Schema

  query do
    # Queries defined here
  end

  mutation do
    # Mutations defined here
  end
end

# Endpoint configuration
defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/graphiql", Absinthe.Plug.GraphiQL, schema: MyAppWeb.Schema, interface: Mix.env() != :prod
end

This code is secure because it disables introspection queries in the production environment. The introspection queries are only available in non-production environments, reducing the risk of information leakage.

References

238 - Technical Information Leak - API

Last updated

2023/09/18