graphql-anycable icon indicating copy to clipboard operation
graphql-anycable copied to clipboard

Published 20 hours ago verified publisher icon anycable

Subscription fingerprint includes the operation name

Open such opened this issue 2 years ago • 1 comments

Describe the bug Not entirely sure this is a bug but I'd like to make sure. The subscription fingerprint changes when the operationName of the graphql subscription changes. This makes it easy to Ddos by sending a lot of subscription that vary only with their name

Versions ruby: 3.1.1 rails (or other framework): 7.0 graphql: 2.0.7 graphql-anycable: 1.1.3 anycable: 1.3

GraphQL query

How do you subscribe to subscriptions?

subscription F180a0bde0a1 {
    aCommentWasUpdated {
        id
    }
}

Expected behavior If possible all of those subscriptions would have the same fingerprint

Actual behavior We ended up with 1000s of different fingerprints

such avatar May 09 '22 07:05 such

We rely on GraphQL-Ruby to generate these fingerprints via their GraphQL::Subscriptions::Event#fingerprint here: https://github.com/anycable/graphql-anycable/blob/736501cedd9820f3c481c6fd3b8da2c1b605f8be/lib/graphql/subscriptions/anycable_subscriptions.rb#L150-L153

Which in turn uses GraphQL::Query#fingerprint and GraphQL::Query#operation_fingerprint that always includes selected operation name (as query can have multiple operations but only one is used).

While it is possible to get access to parsed query string from GraphQL-Ruby and juggle with it (extracting only part of query for currently selected operation and hashing it), I would prefer to avoid it if possible.

So, please open issue in GraphQL-Ruby repo here: https://github.com/rmosolgo/graphql-ruby/issues

Envek avatar May 10 '22 07:05 Envek