fix: Disallow batched queries in GraphQL endpoint (#10050)

* Disallow multiple queries in GraphQL endpoint * Fix mix credo * Add Plug.Parsers to each pipeline * Process review comments * Process review comments
6 months ago · 5bbf68e756
parent def8a1aed0
commit 5bbf68e756
10 changed files with 163 additions and 13 deletions
--- a/apps/block_scout_web/lib/block_scout_web/admin_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/admin_router.ex
@ -9,6 +9,15 @@ defmodule BlockScoutWeb.AdminRouter do
  alias BlockScoutWeb.Plug.Admin.{CheckOwnerRegistered, RequireAdminRole}
  pipeline :browser do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 10_000,
      query_string_length: 5_000,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(:accepts, ["html"])
    plug(:fetch_session)
    plug(:fetch_flash)
--- a/apps/block_scout_web/lib/block_scout_web/api_key_v2_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/api_key_v2_router.ex
@ -6,6 +6,15 @@ defmodule BlockScoutWeb.APIKeyV2Router do
  alias BlockScoutWeb.Plug.{CheckApiV2, Logger}
  pipeline :api_v2 do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 10_000,
      query_string_length: 5_000,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(Logger, application: :api_v2)
    plug(:accepts, ["json"])
    plug(CheckApiV2)
--- a/apps/block_scout_web/lib/block_scout_web/api_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/api_router.ex
@ -16,22 +16,52 @@ defmodule BlockScoutWeb.ApiRouter do
  alias BlockScoutWeb.{AddressTransactionController, APIKeyV2Router, SmartContractsApiV2Router, UtilsApiV2Router}
  alias BlockScoutWeb.Plug.{CheckAccountAPI, CheckApiV2, RateLimit}
  @max_query_string_length 5_000
  forward("/v2/smart-contracts", SmartContractsApiV2Router)
  forward("/v2/key", APIKeyV2Router)
  forward("/v2/utils", UtilsApiV2Router)
  pipeline :api do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 20_000_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api)
    plug(:accepts, ["json"])
  end
  pipeline :account_api do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 100_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api)
    plug(:accepts, ["json"])
    plug(:fetch_session)
    plug(:protect_from_forgery)
    plug(CheckAccountAPI)
  end
  pipeline :api_v2 do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api_v2)
    plug(:accepts, ["json"])
    plug(CheckApiV2)
@ -41,6 +71,14 @@ defmodule BlockScoutWeb.ApiRouter do
  end
  pipeline :api_v2_no_session do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api_v2)
    plug(:accepts, ["json"])
    plug(CheckApiV2)
@ -48,6 +86,13 @@ defmodule BlockScoutWeb.ApiRouter do
  end
  pipeline :api_v1_graphql do
    plug(
      Plug.Parsers,
      parsers: [:json, Absinthe.Plug.Parser],
      json_decoder: Poison,
      body_reader: {BlockScoutWeb.GraphQL.BodyReader, :read_body, []}
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api)
    plug(:accepts, ["json"])
    plug(RateLimit, graphql?: true)
@ -57,7 +102,6 @@ defmodule BlockScoutWeb.ApiRouter do
  alias BlockScoutWeb.API.V2
  scope "/account/v2", as: :account_v2 do
    pipe_through(:api)
    pipe_through(:account_api)
    get("/authenticate", AuthenticateController, :authenticate_get)
--- a/apps/block_scout_web/lib/block_scout_web/endpoint.ex
+++ b/apps/block_scout_web/lib/block_scout_web/endpoint.ex
@ -43,15 +43,6 @@ defmodule BlockScoutWeb.Endpoint do
  plug(Plug.RequestId)
  plug(
    Plug.Parsers,
    parsers: [:urlencoded, :multipart, :json],
    length: 20_000_000,
    query_string_length: 1_000_000,
    pass: ["*/*"],
    json_decoder: Poison
  )
  plug(Plug.MethodOverride)
  plug(Plug.Head)
--- a/apps/block_scout_web/lib/block_scout_web/graphql/body_reader.ex
+++ b/apps/block_scout_web/lib/block_scout_web/graphql/body_reader.ex
@ -0,0 +1,35 @@
 defmodule BlockScoutWeb.GraphQL.BodyReader do
  @moduledoc """
  This module is responsible for reading the body of a graphql request and counting the number of queries in the body.
  """
  alias Plug.Conn
  @max_number_of_queries 1
  def read_body(conn, opts) do
    {:ok, body, conn} = Conn.read_body(conn, opts)
    updated_conn = update_in(conn.assigns[:raw_body], &[body | &1 || []])
    json_body = Jason.decode!(body)
    json_body_length =
      if is_list(json_body) do
        Enum.count(json_body)
      else
        1
      end
    error = %{errors: [%{message: "Max batch size is 1"}]}
    if json_body_length > @max_number_of_queries do
      {:ok, "",
       updated_conn
       |> Conn.put_resp_content_type("application/json")
       |> Conn.resp(400, Jason.encode!(error))
       |> Conn.halt()}
    else
      {:ok, body, updated_conn}
    end
  end
 end
--- a/apps/block_scout_web/lib/block_scout_web/router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/router.ex
@ -4,11 +4,22 @@ defmodule BlockScoutWeb.Router do
  alias BlockScoutWeb.Plug.{GraphQL, RateLimit}
  alias BlockScoutWeb.{ApiRouter, WebRouter}
  @max_query_string_length 5_000
  if Application.compile_env(:block_scout_web, :admin_panel_enabled) do
    forward("/admin", BlockScoutWeb.AdminRouter)
  end
  pipeline :browser do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 100_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :block_scout_web)
    plug(:accepts, ["html"])
    plug(:fetch_session)
@ -18,11 +29,27 @@ defmodule BlockScoutWeb.Router do
  end
  pipeline :api do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 20_000_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api)
    plug(:accepts, ["json"])
  end
  pipeline :api_v1_graphql do
    plug(
      Plug.Parsers,
      parsers: [:json, Absinthe.Plug.Parser],
      json_decoder: Poison,
      body_reader: {BlockScoutWeb.GraphQL.BodyReader, :read_body, []}
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api)
    plug(:accepts, ["json"])
    plug(RateLimit, graphql?: true)
--- a/apps/block_scout_web/lib/block_scout_web/smart_contracts_api_v2_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/smart_contracts_api_v2_router.ex
@ -7,6 +7,15 @@ defmodule BlockScoutWeb.SmartContractsApiV2Router do
  alias BlockScoutWeb.Plug.{CheckApiV2, RateLimit}
  pipeline :api_v2_no_forgery_protect do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 20_000_000,
      query_string_length: 5_000,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api_v2)
    plug(:accepts, ["json"])
    plug(CheckApiV2)
--- a/apps/block_scout_web/lib/block_scout_web/utils_api_v2_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/utils_api_v2_router.ex
@ -7,6 +7,15 @@ defmodule BlockScoutWeb.UtilsApiV2Router do
  alias BlockScoutWeb.Plug.{CheckApiV2, RateLimit}
  pipeline :api_v2_no_forgery_protect do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 100_000,
      query_string_length: 5_000,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :api_v2)
    plug(:accepts, ["json"])
    plug(CheckApiV2)
--- a/apps/block_scout_web/lib/block_scout_web/web_router.ex
+++ b/apps/block_scout_web/lib/block_scout_web/web_router.ex
@ -7,7 +7,18 @@ defmodule BlockScoutWeb.WebRouter do
  alias BlockScoutWeb.Plug.CheckAccountWeb
  @max_query_string_length 5_000
  pipeline :browser do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 20_000_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :block_scout_web)
    plug(:accepts, ["html"])
    plug(:fetch_session)
@ -18,6 +29,15 @@ defmodule BlockScoutWeb.WebRouter do
  end
  pipeline :account do
    plug(
      Plug.Parsers,
      parsers: [:urlencoded, :multipart, :json],
      length: 100_000,
      query_string_length: @max_query_string_length,
      pass: ["*/*"],
      json_decoder: Poison
    )
    plug(BlockScoutWeb.Plug.Logger, application: :block_scout_web)
    plug(:accepts, ["html"])
    plug(:fetch_session)
--- a/config/runtime.exs
+++ b/config/runtime.exs
@ -117,9 +117,6 @@ config :block_scout_web, Api.GraphQL,
      "0x69e3923eef50eada197c3336d546936d0c994211492c9f947a24c02827568f9f"
    ),
  enabled: ConfigHelper.parse_bool_env_var("API_GRAPHQL_ENABLED", "true"),
  token_limit: ConfigHelper.parse_integer_env_var("API_GRAPHQL_TOKEN_LIMIT", 1000),
  # Needs to be 215 to support the schema introspection for graphiql
  max_complexity: ConfigHelper.parse_integer_env_var("API_GRAPHQL_MAX_COMPLEXITY", 215),
  rate_limit_disabled?: ConfigHelper.parse_bool_env_var("API_GRAPHQL_RATE_LIMIT_DISABLED"),
  global_limit: ConfigHelper.parse_integer_env_var("API_GRAPHQL_RATE_LIMIT", default_graphql_rate_limit),
  limit_by_key: ConfigHelper.parse_integer_env_var("API_GRAPHQL_RATE_LIMIT_BY_KEY", default_graphql_rate_limit),