filmov
tv
Spring Boot GraphQL Tutorial #4 - DDOS, Recursion, Max Query Depth Limit

Показать описание
Recursion in a graphql schema is possible. This presents some denial-of-service vulnerabilities in our graphql server. Why?
If two types have reference to each other, you have now exposed a cyclical query:
type A {
b: B
}
type B {
a: A
}
An attacker could exploit this and submit an extremely large query containing A - B - A - B - A - B etc. Depending how your server resolves these elements, will have different side effects. Your graphql server could make thousands of extra network requests, perform expensive CPU operations, bring down your server with out-of-memory error or saturate all tomcat request threads, denying other users access to the graphql server.
There are various ways to mitigate this vulnerability, one simple way is by using a GraphQL query max depth limit. Requests will be rejected that request a query depth exceeding the limit. This can be specified in graphql spring boot with the property:
See you in the next episode!
Cheers!
Philip
Securing your GraphQL from Malicious Queries (Size Limiting, Query Whitelisting, Depth Limiting, Amount Limiting):
If two types have reference to each other, you have now exposed a cyclical query:
type A {
b: B
}
type B {
a: A
}
An attacker could exploit this and submit an extremely large query containing A - B - A - B - A - B etc. Depending how your server resolves these elements, will have different side effects. Your graphql server could make thousands of extra network requests, perform expensive CPU operations, bring down your server with out-of-memory error or saturate all tomcat request threads, denying other users access to the graphql server.
There are various ways to mitigate this vulnerability, one simple way is by using a GraphQL query max depth limit. Requests will be rejected that request a query depth exceeding the limit. This can be specified in graphql spring boot with the property:
See you in the next episode!
Cheers!
Philip
Securing your GraphQL from Malicious Queries (Size Limiting, Query Whitelisting, Depth Limiting, Amount Limiting):
Комментарии