consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #5706 from consuldemocracy/graphql_limits

Browse Source 
Bring back GraphQL security limits
This commit is contained in:
Javi Martín
2024-09-30 12:19:51 +02:00
committed by GitHub
parent d28854802e 5f80a75161
commit 7b393a8f89
2 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/graphql/consul_schema.rb
View File

@@ -1,4 +1,8 @@
class ConsulSchema < GraphQL::Schema
mutation(Types::MutationType)
query(Types::QueryType)
default_max_page_size 25
max_complexity 2500
max_depth 8
end

76
spec/graphql/consul_schema_spec.rb Normal file
View File

@@ -0,0 +1,76 @@
require "rails_helper"
describe ConsulSchema do
let(:user) { create(:user) }
it "returns an error for queries exceeding max depth" do
query = <<~GRAPHQL
{
user(id: #{user.id}) {
public_proposals {
edges {
node {
public_author {
username
public_proposals {
edges {
node {
public_author {
username
}
}
}
}
}
}
}
}
}
}
GRAPHQL
response = execute(query)
expect(response["errors"]).not_to be nil
expect(response["errors"].first["message"]).to match(/exceeds max depth/)
end
it "returns an error for queries requesting all records from more than 2 collections" do
query = <<~GRAPHQL
{
users {
edges {
node {
public_debates {
edges {
node {
title
}
}
}
public_proposals {
edges {
node {
title
}
}
}
public_comments {
edges {
node {
body
}
}
}
}
}
}
}
GRAPHQL
response = execute(query)
expect(response["errors"]).not_to be nil
expect(response["errors"].first["message"]).to match(/Query has complexity/)
end
end