- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 143
Open
Description
Reporting issues with GraphQL-core 3
In my tests the construction of a deep request tree fails with recursion problems.
The problem is a recursive approach in the generation of the graphql request tree (this is why I created the  test).
Next to denial of service it is most probably possible to cause resource exhaustion attacks by passing big graphs.
There should be two changes:
- a "stack free" (not really stack free but the recursion depth is drastically reduced) approach in generating the input graph. I did something with generators in my project: graphene-protector:
 https://github.com/devkral/graphene-protector
- a node limit after which the generation of the input graph is stopped with an error
I am not sure if the cost spec ( https://ibm.github.io/graphql-specs/cost-spec.html ) can fix this. The changes must take place while generating the requested input graph
Metadata
Metadata
Assignees
Labels
No labels