Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Options to secure API #1478

Closed
lee-pai-long opened this issue Nov 21, 2023 · 5 comments
Closed

Options to secure API #1478

lee-pai-long opened this issue Nov 21, 2023 · 5 comments
Labels
✨enhancement

Comments

@lee-pai-long
Copy link

Is your feature request related to a problem? Please describe.
I used graphql-cop to test my graphql API built using Graphene Django and the result is as follows:

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /graphql)
[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /graphql)
[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /graphql)
[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /graphql)
[MEDIUM] GET Method Query Support - GraphQL queries allowed using the GET method (Possible Cross Site Request Forgery (CSRF) - /graphql)
[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /graphql)
[HIGH] Introspection-based Circular Query - Circular-query using Introspection (Denial of Service - /graphql)
[MEDIUM] POST based url-encoded query (possible CSRF) - GraphQL accepts non-JSON queries over POST (Possible Cross Site Request Forgery - /graphql)

I would like to have options for example to disable or limit use of aliases to prevent Alias Overloading but I can't find options to mitigate this or the other attacks.

Describe the solution you'd like
Is it possible to provide options to mitigate those attacks in a futur version of graphene-django ?

Describe alternatives you've considered
...

Additional context
...
@kiendang
Copy link
Collaborator

kiendang commented Nov 21, 2023
edited
Loading

Is this something that could be solved with a custom ValidationRule? You might want to take a look at #1475.

@lee-pai-long
Copy link
Author

Hi @kiendang the instrospection can be solve with that yes, but not the rest.

@kiendang
Copy link
Collaborator

I think a few of these, Alias Overloading, Directive Overloading and Field Duplication could be solved by writing a custom ValidationRule that analyses the query.

The CSRF issues could be solved by configuring Django if I'm not wrong.

@lee-pai-long
Copy link
Author

@kiendang but how to limit the number of aliases, directives and field in a custom validation rule ?

@kiendang
Copy link
Collaborator

I guess you could traverse the AST and count the number of occurrences? See Implementing a custom ValudationRule and the Visitor class.

Anw I'm converting this to a discussion which I think is more appropriate.

@graphql-python graphql-python locked and limited conversation to collaborators Nov 22, 2023
@kiendang kiendang converted this issue into discussion #1479 Nov 22, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
✨enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kiendang @lee-pai-long