Add first set of rule information

SonarSource · Sep 29, 2023 · 4b0ad03 · 4b0ad03
1 parent 0e4b5da
commit 4b0ad03
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 21 deletions.
diff --git a/rules/S6786/common/fix/disable.adoc b/rules/S6786/common/fix/disable.adoc
@@ -0,0 +1,15 @@
+==== Disabling introspection
+
+The GraphQL server framework should be instructed to disable introspection. This
+prevents any attempt to retrieve schema information from the server at runtime.
+
+Each GraphQL framework will have a different method of doing this, possibly
+including:
+
+* Changing a simple boolean setting.
+* Adding a middleware module to the request processing chain.
+* Adding a GraphQL validator that rejects introspection keywords.
+
+If introspection is required, it should only be made available to the smallest
+possible audience. This could include development environments, users with a
+specific right, or requests from a specific set of IP addresses.
diff --git a/rules/S6786/common/resources/standards.adoc b/rules/S6786/common/resources/standards.adoc
diff --git a/rules/S6786/python/metadata.json b/rules/S6786/python/metadata.json
@@ -1,12 +1,13 @@
 {
-  "title": "FIXME",
-  "type": "CODE_SMELL",
+  "title": "GraphQL introspection should not be allowed",
+  "type": "VULNERABILITY",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
-    "constantCost": "5min"
+    "constantCost": "1h"
   },
   "tags": [
+    "cwe"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6786",
@@ -16,10 +17,33 @@
   "quickfix": "unknown",
   "code": {
     "impacts": {
-      "MAINTAINABILITY": "HIGH",
-      "RELIABILITY": "MEDIUM",
-      "SECURITY": "LOW"
+      "SECURITY": "MEDIUM"
     },
-    "attribute": "CONVENTIONAL"
+    "attribute": "TRUSTWORTHY"
+  },
+  "securityStandards": {
+    "CWE": [
+
+    ],
+    "OWASP": [
+
+    ],
+    "CERT": [
+
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
   }
 }
diff --git a/rules/S6786/python/rule.adoc b/rules/S6786/python/rule.adoc
@@ -1,13 +1,8 @@
-FIXME: add a description
-
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+include::../summary.adoc[]
 
 == Why is this an issue?
 
-FIXME: remove the unused optional headers (that are commented out)
-
-//=== What is the potential impact?
+include::../rationale.adoc[]
 
 == How to fix it
 //== How to fix it in FRAMEWORK NAME
@@ -16,29 +11,54 @@ FIXME: remove the unused optional headers (that are commented out)
 
 ==== Noncompliant code example
 
-[source,text,diff-id=1,diff-type=noncompliant]
+[source,python,diff-id=1,diff-type=noncompliant]
 ----
-FIXME
+from graphql_server.flask import GraphQLView
+
+app.add_url_rule("/api",
+    view_func=GraphQLView.as_view(  # Noncompliant
+        name="api",
+        schema=schema,
+    )
+)
 ----
 
 ==== Compliant solution
 
-[source,text,diff-id=1,diff-type=compliant]
+[source,python,diff-id=1,diff-type=compliant]
 ----
-FIXME
+from graphql_server.flask import GraphQLView
+from graphql.validation import NoSchemaIntrospectionCustomRule
+
+app.add_url_rule("/api",
+    view_func=GraphQLView.as_view(
+        name="api",
+        schema=schema,
+        validation_rules=[
+            NoSchemaIntrospectionCustomRule
+        ]
+    )
+)
 ----
 
-//=== How does this work?
+=== How does this work?
+
+include::../common/fix/disable.adoc[]
 
 //=== Pitfalls
 
 //=== Going the extra mile
 
 
-//== Resources
+== Resources
+
+include::../common/resources/standards.adoc[]
+
 //=== Documentation
 //=== Articles & blog posts
 //=== Conference presentations
-//=== Standards
+
+=== Standards
+
 //=== External coding guidelines
 //=== Benchmarks
diff --git a/rules/S6786/rationale.adoc b/rules/S6786/rationale.adoc
@@ -0,0 +1,32 @@
+GraphQL introspection is a feature that allows client applications to query the
+schema of a GraphQL API at runtime. It provides a way for developers to explore
+and understand the available data and operations supported by the API.
+
+While this feature is useful, it also creates risks if not properly secured.
+
+=== What is the potential impact?
+
+An attacker can use introspection to identify all of the operations and data
+types supported by the server. This information can then be used to identify
+potential targets for attacks.
+
+==== Exploitation of private APIs
+
+Even when a GraphQL API server is open to access by third-party applications, it
+may contain APIs that are intended only for private use. Introspection allows
+these private APIs to be discovered.
+
+Private APIs often do not receive the same level of security rigor as public
+APIs. For example, they may skip input validation because the API is only
+expected to be called from trusted applications. This can create avenues for
+attack that are not present on public APIs.
+
+==== Exposure of sensitive data
+
+GraphQL allows for multiple related objects to be retrieved using a single API
+call. This provides an efficient method of obtaining data for use in a client
+application.
+
+An attacker may be able to use these relationships between objects to traverse
+the data structure. They may be able to find a link to sensitive data that the
+developer did not intentionally make available.
diff --git a/rules/S6786/summary.adoc b/rules/S6786/summary.adoc
@@ -0,0 +1,3 @@
+This vulnerability exposes information about all the APIs available on a GraphQL
+API server. This information can be used to discover weaknesses in the API than
+can be exploited.