Protect against malicious queries

[syrusakbary]

The Scala implementation of GraphQL (Sangria) provides a way for being protected against malicious queries.

More info: http://sangria-graphql.org/learn/#protection-against-malicious-queries

Could be very useful if the executor could support the following:

• Maximum query complexity based on analysis of the query
• Limit query depth

[millerjs]

Perhaps a first pass at this can be to allow programmers to throw exceptions which cancel the whole execution? The executor (L195) seems to swallow all exceptions. I noticed this when trying to naively limit complexity (by metric of execution time). However, there seems to be no way to short circuit the whole execution.

Related to #41.

[pobed2]

@syrusakbary, I know this is a very old issue, but has anything been implemented to help protect against malicious queries? If not, do you have any pointers on how to implement it myself?

[dfee]

@pobed2 you could add a variable to your context and bump it on each resolve call. You'll probably also want a more formal data structure with a locking mechanism for the executor of your choice.

class ResolveCounter:
    def __init__(self):
        from threading import Lock
        self.count = 0
        self.max = 100
        self.lock = Lock()
    
    def increment(self):
        with self.lock():
            if self.count < self.max:
                self.count += 1
            else:
                raise RuntimeError('too many resolves')

... and then throw that into your context when you call...

schema.execute(statement, context_value={'counter': ResolveCounter()})

alternatively, you could make a helpful wrapper:

def increment_resolve_count(func):
    from functools import wraps

    @wraps(func)
    def wrapper(root, info, *args, **kwargs):
        if '_resolve_counter' not in info.context:
            info.context['_resolve_counter'] = ResolveCounter()
        resolve_counter.increment()
    return wrapper


@increment_resolve_count
def resolve_mytype(root, info):
    # your typical resolve func
    return MyType()

[dfee]

I thought about this after posting it, and actually I think middleware is the right place for this.

[lisongx]

this would be really hepful, the github graphql api have the node based limitation to avoid bad query coming in https://developer.github.com/v4/guides/resource-limitations/

[dan98765]

We're having success doing query depth limiting & node based limiting in middleware.