Options to secure API

Question

Options to secure API

lee-pai-long opened this issue 8 months ago · comments

Saïdina MOHAMED ALI commented 8 months ago

Is your feature request related to a problem? Please describe.
I used graphql-cop to test my graphql API built using Graphene Django and the result is as follows:

[HIGH] Alias Overloading - Alias Overloading with 100+ aliases is allowed (Denial of Service - /graphql)
[HIGH] Directive Overloading - Multiple duplicated directives allowed in a query (Denial of Service - /graphql)
[HIGH] Field Duplication - Queries are allowed with 500 of the same repeated field (Denial of Service - /graphql)
[LOW] Field Suggestions - Field Suggestions are Enabled (Information Leakage - /graphql)
[MEDIUM] GET Method Query Support - GraphQL queries allowed using the GET method (Possible Cross Site Request Forgery (CSRF) - /graphql)
[HIGH] Introspection - Introspection Query Enabled (Information Leakage - /graphql)
[HIGH] Introspection-based Circular Query - Circular-query using Introspection (Denial of Service - /graphql)
[MEDIUM] POST based url-encoded query (possible CSRF) - GraphQL accepts non-JSON queries over POST (Possible Cross Site Request Forgery - /graphql)

I would like to have options for example to disable or limit use of aliases to prevent Alias Overloading but I can't find options to mitigate this or the other attacks.

Describe the solution you'd like
Is it possible to provide options to mitigate those attacks in a futur version of graphene-django ?

Describe alternatives you've considered
...

Additional context
...

Kien Dang · Answer 1 · Tue Nov 21 2023 18:48:33 GMT+0800 (China Standard Time)

Is this something that could be solved with a custom ValidationRule? You might want to take a look at #1475.

Saïdina MOHAMED ALI · Answer 2 · Wed Nov 22 2023 17:47:45 GMT+0800 (China Standard Time)

Hi @kiendang the instrospection can be solve with that yes, but not the rest.

Kien Dang · Answer 3 · Wed Nov 22 2023 17:57:50 GMT+0800 (China Standard Time)

I think a few of these, Alias Overloading, Directive Overloading and Field Duplication could be solved by writing a custom ValidationRule that analyses the query.

The CSRF issues could be solved by configuring Django if I'm not wrong.

Saïdina MOHAMED ALI · Answer 4 · Wed Nov 22 2023 18:02:30 GMT+0800 (China Standard Time)

@kiendang but how to limit the number of aliases, directives and field in a custom validation rule ?

Kien Dang · Answer 5 · Wed Nov 22 2023 18:14:40 GMT+0800 (China Standard Time)

I guess you could traverse the AST and count the number of occurrences? See Implementing a custom ValudationRule and the Visitor class.

Anw I'm converting this to a discussion which I think is more appropriate.