Is it possible to disable GraphQL API and graphql-explorer

Background

I know that CVE-2020-26413 has been fixed and user email can no longer be queried now. But unauthenticated user still can get username list from graphql-exploer with query like:

{
  users {
    edges {
      node {
        username
      }
    }
  }
}

The CVE seem to not care about the username, but we do have been bothered by attackers who got the username list. The attacker try to brute force the password, and causing the account being locked by gitlab after lots of failed login attampts. Then the legitimate user cannot login its account. Of course account can be unlocked, but its really annoying.

Question

We want to disable the graphql explorer and graphql api since nobody need this feather. But I didn’t find any information about how to disable it from gitlab doc. So is it possible?

And I’m courious about why unauthorized query for account list did not be regarded as a security problem. Since in REST API, “GET /users” query need authorize, I guess the user names are not designed to be public accessible information.

Ping? I would like to know this as well.

On our 14.4.1 CE instance, the endpoint /api/v4/users/NUM also started returning {"message":"403 Forbidden - Not authorized!"} recently, but I’m unable to find where this change was documented. Paradoxically, /api/v4/users/NUM/keys still works without authentication.

Our instance doesn’t have public restricted visibility levels since we have some public projects on it. It is my understanding that this makes ticking off the Public level in Restricted visibility levels a no-go.

Hi, any update on this? I want to turn off graphQL API too.

There is a way to mitigate this problem. Go to the Admin Area → General → Visibility and access controls → Restricted visibility levels. Then check the box next to “Public”. This should prevent anyone who isn’t logged in from seeing user profiles.
Source: CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED) | Rapid7 Blog