Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable multi-operation queries #252

Open
xxia-brex opened this issue Mar 4, 2021 · 1 comment
Open

How to disable multi-operation queries #252

xxia-brex opened this issue Mar 4, 2021 · 1 comment
Assignees
@benwilson512
Labels
Kind:Feature Level:Starter

Comments

@xxia-brex
Copy link

How can we disable multi-operation queries like "[{"operationName":"xxx1","variables":{},"query":"query xxx1 {}"},
{"operationName":"xxx2","variables":{},"query":"query xxx2 {}"},
{"operationName":"xxx3","variables":{},"query":"query xxx3 {*********}"},,
...repeat 1000x..."

for security reason, we prefer to only allow a single operation per http request
@benwilson512 benwilson512 self-assigned this Mar 4, 2021
@benwilson512
Copy link
Contributor

I think the right path here is a relatively simple batching: false option we enable on the plug.

Per our conversation on slack, a temporary work around could be to add the following plug ahead of your Absinthe.Plugs:

defmodule MyAppWeb.PreventBatchGraphQL do
  @behaviour Plug
  def init(opts), do: opts
  def call(conn, _opts) do
    case conn.body_params do
      %{"_json" => _} -> unprocessable(conn)
      %{"operations" => _} -> unprocessable(conn)
      _ -> conn
    end
  end
  defp unprocessable(conn) do
    conn
    |> Plug.Conn.send_resp(422, "batching not permitted")
    |> Plug.Conn.halt()
  end
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benwilson512 benwilson512

Labels
Kind:Feature Level:Starter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benwilson512 @xxia-brex