absinthe_plug icon indicating copy to clipboard operation
absinthe_plug copied to clipboard

Published 20 hours ago verified publisher icon absinthe-graphql

How to disable multi-operation queries

Open xxia-brex opened this issue 3 years ago • 1 comments

How can we disable multi-operation queries like "[{"operationName":"xxx1","variables":{},"query":"query xxx1 {}"}, {"operationName":"xxx2","variables":{},"query":"query xxx2 {}"}, {"operationName":"xxx3","variables":{},"query":"query xxx3 {*********}"},, ...repeat 1000x..."

for security reason, we prefer to only allow a single operation per http request

xxia-brex avatar Mar 04 '21 07:03 xxia-brex

I think the right path here is a relatively simple batching: false option we enable on the plug.

Per our conversation on slack, a temporary work around could be to add the following plug ahead of your Absinthe.Plugs:

defmodule MyAppWeb.PreventBatchGraphQL do
  @behaviour Plug
  def init(opts), do: opts
  def call(conn, _opts) do
    case conn.body_params do
      %{"_json" => _} -> unprocessable(conn)
      %{"operations" => _} -> unprocessable(conn)
      _ -> conn
    end
  end
  defp unprocessable(conn) do
    conn
    |> Plug.Conn.send_resp(422, "batching not permitted")
    |> Plug.Conn.halt()
  end
end

benwilson512 avatar Mar 04 '21 07:03 benwilson512