apollo-server icon indicating copy to clipboard operation
apollo-server copied to clipboard

Published 20 hours ago verified publisher icon apollographql

Ability to Disable or Restrict Query Batching in Apollo-Server

Open nin-ack opened this issue 1 year ago • 4 comments

Feature Request

I would like to propose an enhancement to Apollo that allows users to restrict or disable request batching for specific objects, or server-wide, in order to mitigate potential security risks. Appears to be something that was previously discussed and referenced here.

Security Risks/Reasoning

Batching queries can be useful, however when applied to sensitive objects it can result in security issues like:

  • Password Spraying Brute-forcing
  • Two-Factor/MFA OTP Bypasses
  • Account Enumeration
  • General Denial of Service

-and more.

OWASP Reference.

If this already exists elsewhere I apologize, I was unable to find a matching request ticket.

nin-ack avatar Jul 05 '23 18:07 nin-ack

Batching is disabled by default in AS4 and configurable to be enabled if it's desired. https://www.apollographql.com/docs/apollo-server/migration/#http-batching-is-off-by-default

trevor-scheer avatar Jul 06 '23 19:07 trevor-scheer

Hm, after re-reading I see your question might be a bit more specific. Let me know if that's the solution you're looking for or if you're suggesting something more fine-grained (i.e. a function that's called per-request that evaluates to true/false to block some requests and not others).

trevor-scheer avatar Jul 06 '23 19:07 trevor-scheer

@trevor-scheer I wasn't aware of it being disabled in v4 so thank you for that!

The feature(s) I was envisioning were:

  1. Ability to disable it, which appears satisfied via allowBatchedHttpRequests: true.
  2. Ability to disable, or enable, it in specific objects/operations e.g., if it was enabled server-wide but wanted to allowlist a few areas that it should be supported for, or though less optimal, disable it in those same areas.

Appreciate the discussion!

nin-ack avatar Jul 07 '23 18:07 nin-ack

Glad that helps. I'm not certain I know what you mean for 2, but I think I understand. Are you just saying that you'd like to inspect the request and/or operation(s) in order to permit or block the request?

If so, you could handle this logic in your context function. Unfortunately you don't have resolved operations / parsed documents yet so you might duplicate that work.

Plugins do receive the information that a graphql request "belongs" to a batched http request (along with all the other information you might need to make a decision about an operation) and can throw various errors / set status codes accordingly which will prevent execution. Is that the behavior you're looking for?

trevor-scheer avatar Jul 07 '23 19:07 trevor-scheer