Spring Boot GraphQL Tutorial #4 - DDOS, Recursion, Max Query Depth Limit

preview_player
Показать описание
Recursion in a graphql schema is possible. This presents some denial-of-service vulnerabilities in our graphql server. Why?

If two types have reference to each other, you have now exposed a cyclical query:

type A {
b: B
}

type B {
a: A
}

An attacker could exploit this and submit an extremely large query containing A - B - A - B - A - B etc. Depending how your server resolves these elements, will have different side effects. Your graphql server could make thousands of extra network requests, perform expensive CPU operations, bring down your server with out-of-memory error or saturate all tomcat request threads, denying other users access to the graphql server.

There are various ways to mitigate this vulnerability, one simple way is by using a GraphQL query max depth limit. Requests will be rejected that request a query depth exceeding the limit. This can be specified in graphql spring boot with the property:

See you in the next episode!

Cheers!
Philip

Securing your GraphQL from Malicious Queries (Size Limiting, Query Whitelisting, Depth Limiting, Amount Limiting):
Рекомендации по теме
Комментарии
Автор

This tutorial series is super cool. Love the way the topics are for each individual video! Clear, concise and useful. One can jump video's and look at certain topics and it makes sense and is usable! Great work Philip!

SaifuddinMerchant
Автор

Hey! These videos have been great and immensely useful. Good Job!! :D

poojabhatia
Автор

Hi, Just one question, If I use webflux, how to set the maxQueryDepth?

王平-ov
Автор

Hi there, thank you for all the videos, it’s really helpful .
I have one question .
I have created model classes in java, is there a plug-in or something that can be used to generated the graphQL schema . I find it very tedious and time taking . Java model to Schema conversion

rishabhhanday
Автор

Quick feedback, you could go a bit more into depth on how to get a feeling about what number would be appropriate for your GraphQL API. And this attack is not DDoS, it is DoS AFAIK.

kasirbarati
Автор

How to customise response in case of recursion limit increased? Is it possible to return just 5 levels in case limit increased and some message so user can access nested levels in some different way?

aleksandrkravtsov
Автор

Why does someone need to use model recursion? What are the real life scenarios?

chillappreciator
welcome to shbcf.ru