Package graphql.introspection

Class GoodFaithIntrospection

  • @PublicApi
public class GoodFaithIntrospection
extends java.lang.Object
    This Instrumentation ensure that a submitted introspection query is done in good faith.

    There are attack vectors where a crafted introspection query can cause the engine to spend too much time producing introspection data. This is especially true on large schemas with lots of types and fields.

    Schemas form a cyclic graph and hence it's possible to send in introspection queries that can reference those cycles and in large schemas this can be expensive and perhaps a "denial of service".

    This instrumentation only allows one __schema field or one __type field to be present, and it does not allow the `__Type` fields to form a cycle, i.e., that can only be present once. This allows the standard and common introspection queries to work so tooling such as graphiql can work.

    • Field Detail

      • GOOD_FAITH_INTROSPECTION_DISABLED

        public static final java.lang.String GOOD_FAITH_INTROSPECTION_DISABLED
        Placing a boolean value under this key in the per request GraphQLContext will enable or disable Good Faith Introspection on that request.
        See Also:
        Constant Field Values

    • Constructor Detail

      • GoodFaithIntrospection

        public GoodFaithIntrospection()

    • Method Detail

      • isEnabledJvmWide

        public static boolean isEnabledJvmWide()
        Returns:
        true if good faith introspection is enabled

      • enabledJvmWide

        public static boolean enabledJvmWide​(boolean flag)
        This allows you to disable good faith introspection, which is on by default.
        Parameters:
        flag - the desired state
        Returns:
        the previous state