Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Disable suggestions in errors message

See original GitHub issue

Context

We have some mutation defined:

  extend type Mutation {
    updateUserDetail(input: UpdateUserDetailsInput!): UpdateUserDetailsPayload
  }

The user sends the following query:

mutation {
  updateUserDetil {
    user {
        id
    }
  }
}

The server will response with an error maintaining in the message: "message": "Cannot query field \"updateUserDetil\" on type \"Mutation\". Did you mean \"updateUserDetail\"?",

The problem

In case of a private API, we generally want to avoid leaking information about our API. Disabling the introspection is a good step, but the recommendations are leaking some information that can be used by attackers. This talk discuss this issue (from the perspective of a pentester).

Propositions

  1. Remove suggestions for any environment that is not development
  2. Add a setting to force override the previous change

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:15
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
DeeJEarl88commented, Dec 23, 2020

Just found a work around for this and thought i’d share. Use the FormatError feature and mask any errors you don’t want the client seeing. In my case i mask them all.

const apolloServer = new ApolloServer({
  typeDefs: globalTypeDefs,
  resolvers: globalResolvers,
  context:  () => {},
  datasources: () => {},
  ...
  // Mask errors from clients to mitigate security attacks
  formatError: (err) => {
    if (process.env.APP_ENV === 'production') {
      captureException(err);
      return new Error('Internal Server Error');
    }
    return err;
  },
});
2reactions
enriquedacostacambiocommented, Oct 14, 2020

@supermonkeybrainz sort of a hack, but you could use either fork graphql-js or use patch-package to add this single line:

diff --git a/node_modules/graphql/jsutils/didYouMean.js b/node_modules/graphql/jsutils/didYouMean.js
index 43640da..da8daf9 100644
--- a/node_modules/graphql/jsutils/didYouMean.js
+++ b/node_modules/graphql/jsutils/didYouMean.js
@@ -11,6 +11,7 @@ var MAX_SUGGESTIONS = 5;
 
 // eslint-disable-next-line no-redeclare
 function didYouMean(firstArg, secondArg) {
+  return ''; // until https://github.com/graphql/graphql-js/issues/2247 or https://github.com/apollographql/apollo-server/issues/3919 are resolved.
   var _ref = typeof firstArg === 'string' ? [firstArg, secondArg] : [undefined, firstArg],
       subMessage = _ref[0],
       suggestions = _ref[1];
Read more comments on GitHub >

github_iconTop Results From Across the Web

Disable Windows error message popups - IBM
There are 2 possible ways to disable a windows error message popups: 1. Disable Dr. Watson message boxes on the system:.
Read more >
How to disable pop-up error messages for code editor?
Open Visual Studio, go to Tools -> Options... -> Text Editor -> C# -> Advanced and uncheck the Display diagnostics inline (experimental) ...
Read more >
Disable Those Annoying Error Messages! - YouTube
This is a short tutorial showing you how to disable error messages that pop up every time an application fails or runs into...
Read more >
How to disable error message? - Power Platform Community
Solved: Hi all, in my application an if check is executed. If(achelivello.Run(Label8).livello = "liv1"; Navigate('Livello 1');
Read more >
How to Disable WordPress PHP Error Messages - GreenGeeks
In this tutorial, I'm going to show you how to disable the warning message in WordPress when it comes to debugging. It's a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

apollo-server-express 2.11 + graphql 15.0 = error: Must provide Source. Received: undefined.

Next page

Documentation error on Schema basics topic