|
| 1 | +# Security |
| 2 | + |
| 3 | +We take security seriously. If you believe you have discovered a vulnerability, please [file an issue](https://github.com/PowerShellWeb/GQL/issues). |
| 4 | + |
| 5 | +## Special Security Considerations |
| 6 | + |
| 7 | +When using this module, take care to secure your GraphQL token. _Never_ hardcode a value, even as an example. |
| 8 | + |
| 9 | +GraphQL is very powerful, and the Graph API should be queried carefully. |
| 10 | + |
| 11 | +It is also highly recommended you use a Graph API token with limited rights. |
| 12 | + |
| 13 | +Using your own personal access token can compromise your account. |
| 14 | + |
| 15 | +Finally, and importantly, review any queries that you run before you run them. |
| 16 | + |
| 17 | +Any GraphQL query you did not write could do more than you expect it to. |
| 18 | + |
| 19 | +### -WhatIf and -Confirm for extra safety |
| 20 | + |
| 21 | +For safety purposes, GQL SupportsShouldProcess. |
| 22 | + |
| 23 | +This adds two parameters, -WhatIf and -Confirm. |
| 24 | + |
| 25 | +Use -WhatIf to determine how to run the query with Invoke-RestMethod, without running it directly. |
| 26 | + |
| 27 | +Use -Confirm to prompt for confirmation before each query is executed. |
| 28 | + |
| 29 | +~~~PowerShell |
| 30 | +GQL ./Examples/GetSchemaTypes.gql -Confirm |
| 31 | +~~~ |
| 32 | + |
| 33 | +### Use Variables for more security |
| 34 | + |
| 35 | +Hardcoded values can reveal insecure information. |
| 36 | + |
| 37 | +## Never Execute Result Data |
| 38 | + |
| 39 | +Seriously: |
| 40 | + |
| 41 | +**Never Execute Result Data** |
| 42 | + |
| 43 | +In PowerShell, on of the most dangerous things you can do is `Invoke-Expression`. |
| 44 | + |
| 45 | +This runs whatever is in the data, and is the path to code injection attacks. |
| 46 | + |
| 47 | +Another dangerous thing you can do is `$executionContext.SessionState.InvokeCommand.ExpandString`. |
| 48 | + |
| 49 | +This expands a string containing subexpressions, which can also inject code. |
| 50 | + |
| 51 | +If you were to directly Invoke or expand code from a GraphQL result, it could compromise your system (and possibly your network) |
| 52 | + |
| 53 | +If you were to directly evaluate code from a GraphQL result in any other language, it could compromise that application (and possibly your network) |
| 54 | + |
| 55 | +So, once more: |
| 56 | + |
| 57 | +*Never Execute Result Data* |
| 58 | + |
| 59 | +## Please Enjoy Responsibly |
0 commit comments