Skip to content

AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.

License

Notifications You must be signed in to change notification settings

mirego/absinthe_security

Repository files navigation


AbsintheSecurity provides utilities to improve the security posture of APIs built with Absinthe GraphQL.

Installation

Add absinthe_security to the deps function in your project’s mix.exs file:

defp deps do
  [
    {:absinthe_security, "~> 0.1"}
  ]
end

Then run mix do deps.get, deps.compile inside your project’s directory.

Usage

First, initialize Absinthe.Plug with a custom configuration:

forward("/graphql",
  to: Absinthe.Plug,
  init_opts: MyAppGraphQL.configuration()
)

Your custom configuration (with all of AbsintheSecurity’s checks) might look like this:

defmodule MyAppGraphQL do
  def configuration do
    [schema: MyAppGraphQL.Schema, pipeline: {__MODULE__, :absinthe_pipeline}]
  end

  def absinthe_pipeline(config, options) do
    options = Absinthe.Pipeline.options(options)

    config
    |> Absinthe.Plug.default_pipeline(options)
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})
    |> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})
  end
end

AbsintheSecurity.Phase.IntrospectionCheck

Disable schema introspection queries at runtime.

Configuration

config :absinthe_security, AbsintheSecurity.Phase.IntrospectionCheck,
  enable_introspection: System.get_env("GRAPHQL_ENABLE_INTROSPECTION")

Pipeline

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.IntrospectionCheck, options})

Reference

https://docs.escape.tech/vulnerabilities/information_disclosure/introspection_enabled

AbsintheSecurity.Phase.DisableFieldSuggestions

Disable field suggestions in responses at runtime.

Configuration

config :absinthe_security, AbsintheSecurity.Phase.FieldSuggestionsCheck,
  enable_field_suggestions: System.get_env("GRAPHQL_ENABLE_FIELD_SUGGESTIONS")

Pipeline

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Result, {AbsintheSecurity.Phase.FieldSuggestionsCheck, options})

Reference

https://docs.escape.tech/vulnerabilities/information_disclosure/graphql_field_suggestion

AbsintheSecurity.Phase.MaxAliasesCheck

Restrict the number of aliases that can be used in queries.

Configuration

config :absinthe_security, AbsintheSecurity.Phase.MaxAliasesCheck,
  max_alias_count: 100

Pipeline

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxAliasesCheck, options})

Reference

https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_alias_limit

AbsintheSecurity.Phase.MaxDepthCheck

Restrict the depth level that can be used in queries.

Configuration

config :absinthe_security, AbsintheSecurity.Phase.MaxDepthCheck,
  max_depth_count: 100

Pipeline

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDepthCheck, options})

Reference

https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_depth_limit

AbsintheSecurity.Phase.MaxDirectivesCheck

Restrict the number of directives that can be used in queries.

Configuration

config :absinthe_security, AbsintheSecurity.Phase.MaxDirectivesCheck,
  max_directive_count: 100

Pipeline

|> Absinthe.Pipeline.insert_after(Absinthe.Phase.Document.Complexity.Result, {AbsintheSecurity.Phase.MaxDirectivesCheck, options})

Reference

https://docs.escape.tech/vulnerabilities/resource_limitation/graphql_directive_overload

License

AbsintheSecurity is © 2023 Mirego and may be freely distributed under the New BSD license. See the LICENSE.md file.

About Mirego

Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world.

We also love open-source software and we try to give back to the community as much as we can.