fix: Data schema exposed via GraphQL API public introspection (GHSA-48q3-prgv-gm4w) (#9819)

2025-07-10 04:25:09 +02:00
parent 2c29756038
commit c58b2eb6eb
8 changed files with 193 additions and 22 deletions
--- a/spec/SecurityCheckGroups.spec.js
+++ b/spec/SecurityCheckGroups.spec.js
@@ -33,6 +33,7 @@ describe('Security Check Groups', () => {
      config.security.enableCheckLog = false;
      config.allowClientClassCreation = false;
      config.enableInsecureAuthAdapters = false;
+      config.graphQLPublicIntrospection = false;
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
@@ -41,12 +42,14 @@ describe('Security Check Groups', () => {
      expect(group.checks()[1].checkState()).toBe(CheckState.success);
      expect(group.checks()[2].checkState()).toBe(CheckState.success);
      expect(group.checks()[4].checkState()).toBe(CheckState.success);
+      expect(group.checks()[5].checkState()).toBe(CheckState.success);
    });

    it('checks fail correctly', async () => {
      config.masterKey = 'insecure';
      config.security.enableCheckLog = true;
      config.allowClientClassCreation = true;
+      config.graphQLPublicIntrospection = true;
      await reconfigureServer(config);

      const group = new CheckGroupServerConfig();
@@ -55,6 +58,7 @@ describe('Security Check Groups', () => {
      expect(group.checks()[1].checkState()).toBe(CheckState.fail);
      expect(group.checks()[2].checkState()).toBe(CheckState.fail);
      expect(group.checks()[4].checkState()).toBe(CheckState.fail);
+      expect(group.checks()[5].checkState()).toBe(CheckState.fail);
    });
  });