You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The proxy server strips the path from the graph-db-connection-url header when constructing downstream requests, making it impossible to connect to databases that serve their SPARQL/Gremlin endpoints at a non-root path (e.g., BlazeGraph).
The proxy uses new URL("/sparql", graphDbConnectionUrl) to build the downstream URL. Because the path argument is absolute (starts with /), new URL replaces the entire path of the base URL. For example:
new URL("/sparql", "http://blazegraph:9999/blazegraph/namespace/kb")
// Result: http://blazegraph:9999/sparql
// Expected: http://blazegraph:9999/blazegraph/namespace/kb/sparql
BlazeGraph serves its SPARQL endpoint at /blazegraph/namespace/<ns>/sparql, so the proxy always hits a non-existent /sparql path, returning a 301 redirect that the proxy does not follow.
The client-side code (non-proxy mode) uses string template literals (${connection.url}/sparql) which correctly preserves the path. This inconsistency means BlazeGraph works without the proxy but fails with it.
History
An older version of the proxy used simple string concatenation (${graphDbConnectionUrl}/sparql), which worked with BlazeGraph. The current new URL() approach was introduced to address a security concern around unsafe URL construction. However, the fix was overly aggressive — it discards the legitimate path prefix configured by the user.
Environment
Graph Explorer Version: latest (main branch)
Graph Database & Version: BlazeGraph 2.1.5 (standalone jar or lyrasis/blazegraph Docker image)
Steps to Reproduce
Run BlazeGraph (e.g., docker run -d -p 9999:9999 --name blazegraph blazegraph:2.1.5)
Observe connection failure — the proxy sends requests to http://blazegraph:9999/sparql instead of http://blazegraph:9999/blazegraph/namespace/kb/sparql
Expected Behavior
The proxy should preserve the path from the configured Graph Connection URL when appending endpoint suffixes like /sparql, /gremlin, /openCypher, etc.
Proposed Fix
Use relative paths (without leading /) and ensure the base URL has a trailing slash before resolving:
// Before (broken for non-root paths):constrawUrl=newURL("/sparql",graphDbConnectionUrl).href;// After (preserves base path, still uses safe URL construction):constrawUrl=newURL("sparql",graphDbConnectionUrl.replace(/\/?$/,"/")).href;
This preserves the security improvement (new URL() for safe URL resolution — path traversal attempts like ../../etc/passwd are safely resolved within the origin) while restoring compatibility with databases that use non-root endpoint paths.
Affected lines in packages/graph-explorer-proxy-server/src/app.ts:
new URL("/sparql/status", ...) (query cancellation)
new URL("/sparql", ...) (SPARQL queries)
new URL("/gremlin/status", ...) (query cancellation)
new URL("/gremlin", ...) (Gremlin queries)
new URL("/openCypher", ...) (openCypher queries)
new URL("/summary?mode=detailed", ...) (Neptune Analytics summary)
new URL("/pg/statistics/summary?mode=detailed", ...) (Neptune DB PG summary)
new URL("/rdf/statistics/summary?mode=detailed", ...) (RDF summary)
Description
The proxy server strips the path from the
graph-db-connection-urlheader when constructing downstream requests, making it impossible to connect to databases that serve their SPARQL/Gremlin endpoints at a non-root path (e.g., BlazeGraph).The proxy uses
new URL("/sparql", graphDbConnectionUrl)to build the downstream URL. Because the path argument is absolute (starts with/),new URLreplaces the entire path of the base URL. For example:BlazeGraph serves its SPARQL endpoint at
/blazegraph/namespace/<ns>/sparql, so the proxy always hits a non-existent/sparqlpath, returning a 301 redirect that the proxy does not follow.The client-side code (non-proxy mode) uses string template literals (
${connection.url}/sparql) which correctly preserves the path. This inconsistency means BlazeGraph works without the proxy but fails with it.History
An older version of the proxy used simple string concatenation (
${graphDbConnectionUrl}/sparql), which worked with BlazeGraph. The currentnew URL()approach was introduced to address a security concern around unsafe URL construction. However, the fix was overly aggressive — it discards the legitimate path prefix configured by the user.Environment
Steps to Reproduce
docker run -d -p 9999:9999 --name blazegraph blazegraph:2.1.5)http://blazegraph:9999/blazegraph/namespace/kbtruehttp://blazegraph:9999/sparqlinstead ofhttp://blazegraph:9999/blazegraph/namespace/kb/sparqlExpected Behavior
The proxy should preserve the path from the configured Graph Connection URL when appending endpoint suffixes like
/sparql,/gremlin,/openCypher, etc.Proposed Fix
Use relative paths (without leading
/) and ensure the base URL has a trailing slash before resolving:This preserves the security improvement (
new URL()for safe URL resolution — path traversal attempts like../../etc/passwdare safely resolved within the origin) while restoring compatibility with databases that use non-root endpoint paths.Affected lines in
packages/graph-explorer-proxy-server/src/app.ts:new URL("/sparql/status", ...)(query cancellation)new URL("/sparql", ...)(SPARQL queries)new URL("/gremlin/status", ...)(query cancellation)new URL("/gremlin", ...)(Gremlin queries)new URL("/openCypher", ...)(openCypher queries)new URL("/summary?mode=detailed", ...)(Neptune Analytics summary)new URL("/pg/statistics/summary?mode=detailed", ...)(Neptune DB PG summary)new URL("/rdf/statistics/summary?mode=detailed", ...)(RDF summary)Related Issues
Important
If you are interested in working on this issue, please leave a comment.
Tip
Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.