Package graphql.introspection

Class GoodFaithIntrospection

java.lang.Object

graphql.introspection.GoodFaithIntrospection

@PublicApi
public class GoodFaithIntrospection
extends Object

This Instrumentation ensure that a submitted introspection query is done in good faith.

There are attack vectors where a crafted introspection query can cause the engine to spend too much time producing introspection data. This is especially true on large schemas with lots of types and fields.

Schemas form a cyclic graph and hence it's possible to send in introspection queries that can reference those cycles and in large schemas this can be expensive and perhaps a "denial of service".

This instrumentation only allows one __schema field or one __type field to be present, and it does not allow the `__Type` fields to form a cycle, i.e., that can only be present once. This allows the standard and common introspection queries to work so tooling such as graphiql can work.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	GoodFaithIntrospection.BadFaithIntrospectionError

Field Summary

Fields

Modifier and Type	Field	Description
static final String	GOOD_FAITH_INTROSPECTION_DISABLED	Placing a boolean value under this key in the per request GraphQLContext will enable or disable Good Faith Introspection on that request.
static final int	GOOD_FAITH_MAX_DEPTH_COUNT	This is the maximum depth a good faith introspection query can be
static final int	GOOD_FAITH_MAX_FIELDS_COUNT	This is the maximum number of executable fields that can be in a good faith introspection query

Constructor Summary

Constructors

Constructor	Description
GoodFaithIntrospection()

Method Summary

Modifier and Type	Method	Description
static Optional<ExecutionResult>	checkIntrospection(ExecutionContext executionContext)
static boolean	enabledJvmWide(boolean flag)	This allows you to disable good faith introspection, which is on by default.
static boolean	isEnabledJvmWide()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

GOOD_FAITH_INTROSPECTION_DISABLED

public static final String GOOD_FAITH_INTROSPECTION_DISABLED

Placing a boolean value under this key in the per request GraphQLContext will enable or disable Good Faith Introspection on that request.

See Also:

• Constant Field Values

GOOD_FAITH_MAX_FIELDS_COUNT

public static final int GOOD_FAITH_MAX_FIELDS_COUNT

This is the maximum number of executable fields that can be in a good faith introspection query

See Also:

• Constant Field Values

GOOD_FAITH_MAX_DEPTH_COUNT

public static final int GOOD_FAITH_MAX_DEPTH_COUNT

This is the maximum depth a good faith introspection query can be

See Also:

• Constant Field Values

Constructor Details

GoodFaithIntrospection

public GoodFaithIntrospection()

Method Details

isEnabledJvmWide

public static boolean isEnabledJvmWide()

Returns:

true if good faith introspection is enabled

enabledJvmWide

public static boolean enabledJvmWide(boolean flag)

This allows you to disable good faith introspection, which is on by default.

Parameters:

flag - the desired state

Returns:

the previous state

checkIntrospection

public static Optional<ExecutionResult> checkIntrospection(ExecutionContext executionContext)