graphql-query-count-limit
Advanced tools
Readme
Dead-simple defense against grouped GraphQL queries. Limit the number of the queries per request and the number of selections allowed at the root of each query.
Suppose you have an Album type that has a list of Songs.
{
album(id: 42) {
songs {
title
artists
}
}
}
And perhaps you have a different entry point for a Song and the type allows you to go back up to the Album.
{
song(id: 1337) {
title
album {
title
}
}
}
That opens your server to the possibility of a cyclical query!
query evil {
album(id: 42) {
songs {
album {
songs {
# Depth is covered by graphql-depth-limit...
}
}
}
}
}
album(id: 41) {
songs {
album {
songs {
# but one can add as many selection at the root of the query
}
}
}
}
}
# Creating a single-call-ddos
...
}
# Also, most engines handles any number queries per request! Making another possible single-call-ddos possibility.
query evil2 {
album(id: 42) {
songs {
album {
songs {
...
}
}
}
}
}
...
}
graphql-query-count-limit will limit the number of queries per request and the number of root selections per query.
$ npm install graphql-query-count-limit
It works with any library using graphql-server, such as, apollo-server, express-graphql and koa-graphql.
Here is an example with Express.
import queryLimit from 'graphql-query-count-limit'
import express from 'express'
import graphqlHTTP from 'express-graphql'
import schema from './schema'
const app = express()
app.use('/graphql', graphqlHTTP((req, res) => ({
schema,
validationRules: [ queryLimit(10) ]
})))
The first argument is the maximum number of queries in a single request. This will throw a validation error if more than the allowed amount if queries are specified.
The second, optional, argument is the maximum amount of root selections on any query
queryLimit(
3,
5
)
This library is made thanks to the awesome graphql-depth-limit library that you should always install with graphql-query-count-limit as they are both needed for a better DDOS protection.
Also, once those two librairies are installed, you will still have to make sure that:
FAQs
A validator for the number of queries per request and root selectors per query.
The npm package graphql-query-count-limit receives a total of 278 weekly downloads. As such, graphql-query-count-limit popularity was classified as not popular.
We found that graphql-query-count-limit demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.