graphql-query-count-limit
Advanced tools
A validator for the number of queries per request and root selectors per query.
Dead-simple defense against grouped GraphQL queries. Limit the number of the queries per request and the number of selections allowed at the root of each query.
Suppose you have an Album type that has a list of Songs.
{
album(id: 42) {
songs {
title
artists
}
}
}
And perhaps you have a different entry point for a Song and the type allows you to go back up to the Album.
{
song(id: 1337) {
title
album {
title
}
}
}
That opens your server to the possibility of a cyclical query!
query evil {
album(id: 42) {
songs {
album {
songs {
# Depth is covered by graphql-depth-limit...
}
}
}
}
}
album(id: 41) {
songs {
album {
songs {
# but one can add as many selection at the root of the query
}
}
}
}
}
# Creating a single-call-ddos
...
}
# Also, most engines handles any number queries per request! Making another possible single-call-ddos possibility.
query evil2 {
album(id: 42) {
songs {
album {
songs {
...
}
}
}
}
}
...
}
graphql-query-count-limit will limit the number of queries per request and the number of root selections per query.
$ npm install graphql-query-count-limit
It works with any library using graphql-server, such as, apollo-server, express-graphql and koa-graphql.
Here is an example with Express.
import queryLimit from 'graphql-query-count-limit'
import express from 'express'
import graphqlHTTP from 'express-graphql'
import schema from './schema'
const app = express()
app.use('/graphql', graphqlHTTP((req, res) => ({
schema,
validationRules: [ queryLimit(10) ]
})))
The first argument is the maximum number of queries in a single request. This will throw a validation error if more than the allowed amount if queries are specified.
The second, optional, argument is the maximum amount of root selections on any query
queryLimit(
3,
5
)
This library is made thanks to the awesome graphql-depth-limit library that you should always install with graphql-query-count-limit as they are both needed for a better DDOS protection.
Also, once those two librairies are installed, you will still have to make sure that:
FAQs
A validator for the number of queries per request and root selectors per query.
We found that graphql-query-count-limit demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.