Spring Boot GraphQL Tutorial #4 - DDOS, Recursion, Max Query Depth Limit

Показать описание

Recursion in a graphql schema is possible. This presents some denial-of-service vulnerabilities in our graphql server. Why?

If two types have reference to each other, you have now exposed a cyclical query:

type A {
b: B
}

type B {
a: A
}

An attacker could exploit this and submit an extremely large query containing A - B - A - B - A - B etc. Depending how your server resolves these elements, will have different side effects. Your graphql server could make thousands of extra network requests, perform expensive CPU operations, bring down your server with out-of-memory error or saturate all tomcat request threads, denying other users access to the graphql server.

There are various ways to mitigate this vulnerability, one simple way is by using a GraphQL query max depth limit. Requests will be rejected that request a query depth exceeding the limit. This can be specified in graphql spring boot with the property:

See you in the next episode!

Cheers!
Philip

Securing your GraphQL from Malicious Queries (Size Limiting, Query Whitelisting, Depth Limiting, Amount Limiting):

Рекомендации по теме

Комментарии

This tutorial series is super cool. Love the way the topics are for each individual video! Clear, concise and useful. One can jump video's and look at certain topics and it makes sense and is usable! Great work Philip!

SaifuddinMerchant

Hey! These videos have been great and immensely useful. Good Job!! :D

poojabhatia

Hi, Just one question, If I use webflux, how to set the maxQueryDepth?

王平-ov

Hi there, thank you for all the videos, it’s really helpful .
I have one question .
I have created model classes in java, is there a plug-in or something that can be used to generated the graphQL schema . I find it very tedious and time taking . Java model to Schema conversion

rishabhhanday

Quick feedback, you could go a bit more into depth on how to get a feeling about what number would be appropriate for your GraphQL API. And this attack is not DDoS, it is DoS AFAIK.

kasirbarati

How to customise response in case of recursion limit increased? Is it possible to return just 5 levels in case limit increased and some message so user can access nested levels in some different way?

aleksandrkravtsov

Why does someone need to use model recursion? What are the real life scenarios?

chillappreciator

Spring Boot GraphQL Tutorial #4 - DDOS, Recursion, Max Query Depth Limit

Spring Boot GraphQL Tutorial #4 - DDOS, Recursion, Max Query Depth Limit

Spring Boot GraphQL Tutorial - Part 4 Multiple Types with Relationships and GraphQL Aliases

Spring Boot and GraphQL Tutorial

Learn GraphQL in 7 Minutes For Beginners

🍃 Introduction to Spring GraphQL with Spring Boot

Spring Boot GraphQL Tutorial

What Is GraphQL? REST vs. GraphQL

Spring Boot GraphQL Tutorial: Simplify Your API with Query by Example

What is GraphQL?

GraphQL Explained in 100 Seconds

Spring Boot GraphQL Part 4 - Update and Delete Operations | Mutation Mapping

GraphQL Spring Boot #9 - Executing a Mutation

GraphQL Spring Boot #8 - Executing a Query.

🔥Spring MVC Interview Questions | Spring Boot Vs Spring MVC | Intellipaat #Shorts #SpringMVC

Spring Boot Graphql Multiple Queries And Introspection

Spring Boot GraphQL Tutorial #17 - Date Type

A Quick Start with the official spring-boot-starter-graphql dependency!

GraphQL with MongoDB (Spring Boot)

Learn GraphQL Queries (Spring Boot, JPA, H2)

GraphQL Spring Boot #10 - Mutating a nested object.

Code - Spring for GraphQL

GraphQL Java Mutations Tutorial for Beginners

GraphQL Spring Boot #1 - Introduction

Spring Tips: @Controllers: GraphQL