graphql-engine icon indicating copy to clipboard operation
graphql-engine copied to clipboard

Published 20 hours ago verified publisher icon hasura

Request for HASURA_GRAPHQL_MAX_ALIAS_COUNT configurable in Hasura Cloud instance

Open alex-sl-eng opened this issue 1 year ago • 3 comments

Is your proposal related to a problem?

We need the option to configure the limitation of alias allowed in single GraphQL query to address batching attack (a known security issue in GraphQL)

https://lab.wallarm.com/graphql-batching-attack/

Describe the solution you'd like

Ability to configure the alias limitation in Hasura Cloud instance: HASURA_GRAPHQL_MAX_ALIAS_COUNT

Describe alternatives you've considered

None

alex-sl-eng avatar Dec 05 '24 00:12 alex-sl-eng

Reported to team. Thanks.

seanparkross avatar Dec 19 '24 10:12 seanparkross

Hey team reported based on my feedback, is there a different label that can be added as this can be used as an attack on the GQL server?

sachsom95 avatar Dec 27 '24 17:12 sachsom95

@seanparkross any updates on this request?

alex-sl-eng avatar Feb 25 '25 00:02 alex-sl-eng