Specific plugin to prevent GraphQL Bombs

[GauBen]

Hey there!

We will develop a specific plugin to address a specific vulnerability: GraphQL Bombs.

Potential approach:

• The plugin will make sure that variables containing files are referenced exactly once. (0 -> waste of bandwidth, 2+ -> potential GraphQL Bomb)

Things we should not block:

• Requests containing multiple files should not be blocked, as it might be a legitimate usecase
• Aliases/batching should not be blocked, as it might be a legitimate usecase

Feel free to share your ideas, we will be working on it in the following weeks.