Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce Pagination Limits on GraphQL Queries to Prevent DoS Attacks #3143

Open
sancheet230 opened this issue Feb 5, 2025 · 1 comment
Open

Enforce Pagination Limits on GraphQL Queries to Prevent DoS Attacks #3143

sancheet230 opened this issue Feb 5, 2025 · 1 comment
Assignees
@sancheet230
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@sancheet230
Copy link

Describe the bug
The GraphQL queries USER_LIST and ORGANIZATION_CONNECTION_LIST (and potentially others) do not enforce pagination limits on the first and skip parameters. This allows clients to request excessively large datasets, leading to potential denial-of-service (DoS) attacks by overwhelming server resources.

To Reproduce
Steps to reproduce the behavior:

1.Send a USER_LIST query with first set to an extremely high value (e.g., first=100000).
2.Observe the server attempting to fetch and process a massive number of records.
3.Repeat the same for ORGANIZATION_CONNECTION_LIST or other paginated queries.
4.Monitor server performance degradation or potential crashes due to resource exhaustion.

Expected behavior
The server should enforce a reasonable maximum limit (e.g., 100 records) for the first parameter and reject invalid values (e.g., negative numbers). Queries requesting more than the maximum limit should automatically be capped, and the server should return a manageable dataset without compromising performance.

Actual behavior
The server processes queries with unrestricted first and skip values, allowing clients to request excessively large datasets. This leads to high resource consumption, slow response times, and potential server crashes, negatively impacting other users and services.

Screenshots
N/A (This is a backend issue related to query handling and resource management.)

Additional details
This issue should be resolved by implementing server-side restrictions on the first and skip parameters in the GraphQL resolvers. The maximum limit for first should be set to a reasonable value (e.g., 100 records), and the skip parameter should be validated to ensure it is non-negative.

Potential internship candidates

Please read this if you are planning to apply for a Palisadoes Foundation internship
@sancheet230 sancheet230 added the bug Something isn't working label Feb 5, 2025
@github-actions github-actions bot added invalid This doesn't seem right unapproved Unapproved for Pull Request labels Feb 5, 2025
@sancheet230
Copy link
Author

@palisadoes issue for API approach for issue 3529(closed) of talawa-admin I can work on this so you can assign me

@palisadoes palisadoes removed the unapproved Unapproved for Pull Request label Feb 5, 2025
This was referenced Feb 8, 2025
Closed
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sancheet230 sancheet230

Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Develop postgres sancheet230/talawa-api
2 participants
@palisadoes @sancheet230