graphql-cost-analysis icon indicating copy to clipboard operation
graphql-cost-analysis copied to clipboard

Published 20 hours ago verified publisher icon pa-bru

DoS by using invalid queries

Open johannespfeiffer opened this issue 4 years ago • 1 comments

When creating invalid queries, e.g. by using fields that do not exist we can bypass the complexity costs.

Let's say the request contains 30k very small and invalid queries, then we will have at least 30k errors in the response. I would have expected that this goes into the maximumCost calculation when using defaultCost: 1.

johannespfeiffer avatar Feb 03 '20 14:02 johannespfeiffer

I suspect this problem is outside of the scope of this library. It likely depends on the server implementation you are using with is package. Relates to https://github.com/graphql/graphql-js/pull/2074

ravangen avatar Apr 23 '20 23:04 ravangen