Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Limiting the query depth, blocks `IntrospectionQuery` too making graphiQL inconsistent #1055
I tried to limit the graphql query depth to
After doing some debugging, I found that
As a tool, graphiQL must be allowed to do introspection, as it helps to explore the existing endpoints/queries, Type Checking, Autocomplete, etc. But, the User Queries must be checked for depth limit to avoid malicious request over server.
I couldn't find a way to handle this, but today got some workaround by overriding
Please add a feature to easy configuration to set the depth limit and allow
Thanks & Regards,
The tricky part here is that Introspection is an open ended query. It can be just `__typename`` right up to the default complicated Introspection query.
So how would the library make a sensible decision on whether its an introspection query or not? The presence of
This is a tricky problem and at first glance I cant think of an easy way to know its Introspection of not.
I got a workaround for this, but I want your guidance over my approach.
I've tokenized the introspection query, and created a simple array of token of type String.
Now, I will tokenize each request (only unique tokens, no duplicates) and now can match if the current query contains only
If it contains only
Now, in future, if anything new comes into the valid
I've not seen any kind of prevention in any implementation of
I tried this on my local project, It works perfectly fine. Need your thoughts on this.!!
Right so basically you have written a heuristic that checks if a query looks Introspection like.
This is likely to work but it CANT be guaranteed to work for all queries because the introspection queries are NOT fixed. Its is however a pretty good heuristic.
In short I think this works for you but I struggle to immediately see how we can make it generic for all users.
That said it makes sense that one would want to not depth check valid introspection queries yet do it on the other queries.
I am in a bit of a bind on how to solve this challenge
Can we configure/modify/change the default
As far as I'm aware, the very first introspection query is made by THAT GraphiQL interface WHICH IS connected to our GraphQL server (what we add as dependency in our server project), so the Introspection Query Stored in GraphiQL is always hit whenever somebody opens
If anyhow, we can configure THAT stored query, then we can easily allow those Introspections which we created/configured and have agreed that it (fully or partially) is sufficient to explore whole (or required) schema with documentation. Doing so, we can bypass the depth checking for our CUSTOM Introspection and all other queries will have to pass through the depth checker (if depth limit is enabled).