Add a new optional parameter ignoreFields to the maxAliases plugin #766
Conversation
…elds to the maxAliases plugin
|
|
I'm very open to changes in the nomenclature and specific API here - suggestions are most welcome! |
|
Hey @jczaplew , thanks for contributing! I am not the creator of the package, but I am here to help! How does this differ from |
We exclude alias with a __typename from the count cf @jczaplew coment: #738 (comment) and Stellate team PR: #468 |
| }); | ||
| }); | ||
|
|
||
| it('counts __typename aliases against limit when ignoreFields is passed', async () => { |
There was a problem hiding this comment.
Additionally, we can add a test to make sure the change is backward and forward compatible by checking if __typename is a default in the ignoreFields list and avoid breaking Stellate workflows.
|
Hi @iCarossio!
Thinking about it some more I don't think it does, and I think this PR would be much cleaner if the default value of |
|
@LMaxence yes, definitely! |
4 participants
Closes #738
There is a GraphQL vulnerability related to allowing an unlimited number of aliases of
__typename- an attacker can craft a query that consists of tens of thousands of aliases, like{"query": "query aliasOverLoad { alias0: __typename alias1: __typename alias2: __typename alias3: __typename alias4: __typename alias5: __typename <...thousands more> }"}and can be a way to bypass authentication on the API because it does not hit any resolvers. With enough simultaneous queries like this it can fairly easily bring down a server.This PR adds
ignoreFieldsto the options of max-aliases and sets the default value to["__typename"]to ensure backwards compatibility. By passing an empty array the plugin will count aliases of__typenameagainst the max alias limit.