Request Timeout for malicious Graphql queries

[Thinkenterprise]

To prevent malicious Graphql Queries, I would like to abort requests on the server that are too long. So I need a request timeout. There is no configuration for this in Java EE Servlet, right!? In Spring Boot you can e.g. configure server.connection-timeout, which does not the same as a request timeout!! Would it be possible to provide an SimpleInstrumentation for example RequestTimeoutInstrumentation which implementation request timeout. I know that instrumentations like MaxQueryComplexityInstrumentation already exist for other types of malicious Graphql Queries. In this context, another instrumentation for throttling like ThrottlingInstrumentationwould be conceivable and would round off the DDOS topic very nicely. From my point of view, these are important points, or should infrastructure do that? https://www.howtographql.com/advanced/4-security/

[oliemansm]

A quick Google search led me to this StackOverflow issue suggesting a solution for a regular Spring Boot @RestController. So it looks like Spring doesn't provide anything out of the box for it.

Maybe instead of RequestTimeoutInstrumentation it shouldn't be named in line with HTTP, but more in line with GraphQL, e.g. MaxExecutionTimeInstrumentation. Ideally this would then be part of the core graphql-java project instead of here. Could you raise the issue there to see if they're willing to include something like this?

[Thinkenterprise]

Sorry, but i'm currently on a very time intensive project and haven't had time to deal with my issues. I will try to check the point by the end of the week and give an answer. Thank you for your suggestion!!

[Thinkenterprise]

I implemented the suggestion and it works. However, this is a field timeout. The goal was a request timeout that adds up over several queries and fields. In the case of a field timeout, the timeout of 10 seconds could mean that if the field is called up 10 times and each call takes 9 seconds, a total value of 90 seconds is achieved. The 10 seconds are therefore not the same as a request timeout.

You definitely need a field timeout. In addition, you would have to start a time globally and check after each field whether the time has expired. If so, the execution would have to be canceled. But it is true that these are not necessarily problems of the GraphQL Java Servlet project but rather of the GraphQL Java. I'll ask there sometime

[Thinkenterprise]

That would be a suggestion ...

public class RequestTimeoutInstrumentation extends SimpleInstrumentation {

	protected final static Logger logger = LoggerFactory.getLogger(RequestTimeoutInstrumentation.class); 
	
	private LocalDateTime startTime;
	private Long timeout;
	
	public RequestTimeoutInstrumentation(Long timeout) {
		this.timeout = timeout;
	}
		
	@Override
	public InstrumentationContext<ExecutionResult> beginExecution(InstrumentationExecutionParameters parameters) {
		startTime = LocalDateTime.now();
		logger.info(startTime.toString());
		return super.beginExecution(parameters);
	}

	@Override
	public InstrumentationContext<ExecutionResult> beginField(InstrumentationFieldParameters parameters) {
		
		Long timeDifference = Duration.between(startTime, LocalDateTime.now()).toSeconds();
		logger.info(timeDifference.toString());
		
		if(timeDifference >= timeout) 
			throw new AbortExecutionException(List.of(createGraphQLError(timeDifference)));		
			
		return super.beginField(parameters);
	}
	
	@Override
    public DataFetcher<?> instrumentDataFetcher(
            DataFetcher<?> dataFetcher, InstrumentationFieldFetchParameters parameters
    ) {
    	
    	  return environment ->
            Observable.fromCallable(() -> dataFetcher.get(environment))
                .subscribeOn(Schedulers.computation())
                .timeout(timeout, TimeUnit.SECONDS)  
                .blockingFirst();
    }

	@Override
	public InstrumentationContext<ExecutionResult> beginFieldComplete(
			InstrumentationFieldCompleteParameters parameters) {
		
		Long timeDifference = Duration.between(startTime, LocalDateTime.now()).toSeconds();		
		logger.info(timeDifference.toString());
		
		if((parameters.getFetchedValue()==null)&&(timeDifference >= timeout)) 
			throw new AbortExecutionException(List.of(createGraphQLError(timeDifference)));		
		
		return super.beginFieldComplete(parameters);
	}
	
	private GraphQLError createGraphQLError(Long timeDifference) {
		return GraphqlErrorBuilder.newError().message("Execution time: %d seconds timeout: %d seconds", Long.valueOf(timeDifference), Long.valueOf(timeout)).build();
	}
	
}

[oliemansm]

@Thinkenterprise This is now solved sufficiently through graphql-java-kickstart/graphql-spring-boot#469 correct?

[Thinkenterprise]

@oliemansm Yes you can close it!!