Note: for support questions, please use stackoverflow. This repository's issues are reserved for feature requests and bug reports.
- What is the current behavior?
I can pass the same field to the query an infinite number of times. Example:
query pointLogs($pointId: Int!, $limit: Int = 0, $offset: Int = 0) {
pointLog(pointId: $pointId, limit: $limit, offset: $offset) {
id
created
user {
email
email
email
email
email
email
email
email
email
__typename
}
data
origin
__typename
}
}
As the number of such fields increases, the load on the CPU and RAM increases, and as a result, the service crashes with 504 error.
I was trying to write a middleware that leaves only unique values in info.field_asts, but load testing did not show any difference.
Googling the problem yielded no results. I also couldn't find any similar situations in the Issues section.
- What is the expected behavior?
The field is resolved only once, and the other fields with the same name are ignored.
- What is the motivation / use case for changing the behavior?
Eliminate such attacks; reduce the load on the CPU and RAM in such cases.
Note: for support questions, please use stackoverflow. This repository's issues are reserved for feature requests and bug reports.
I can pass the same field to the query an infinite number of times. Example:
As the number of such fields increases, the load on the CPU and RAM increases, and as a result, the service crashes with 504 error.
I was trying to write a middleware that leaves only unique values in
info.field_asts, but load testing did not show any difference.Googling the problem yielded no results. I also couldn't find any similar situations in the Issues section.
The field is resolved only once, and the other fields with the same name are ignored.
Eliminate such attacks; reduce the load on the CPU and RAM in such cases.
Please tell us about your environment:
graphene = 2.1.9
graphql-core = 2.3.2
graphene-django = 2.15.0
django = 3.2.25