graphql-query-complexity icon indicating copy to clipboard operation
graphql-query-complexity copied to clipboard

Published 20 hours ago verified publisher icon slicknode

Include meta fields (__typename, __type, __schema) against total field complexity

Open jvanst opened this issue 1 year ago • 1 comments

What

Update QueryComplexity.ts to count meta fields against total complexity. The current implementation only considers fields included in the schema, which omits: __typename, __type and __schema.

Why

Denial of service attacks are possible by creating many aliases of meta fields:

query LargeQuery {
  __typename
  alias1: __typename
  alias2: __typename
  ...
  alias1000: __typename
}

Considerations

If counting each field as 1 cost, common introspection queries will have a cost around 180. Consumers of the library may need to increase the maximum.

jvanst avatar Oct 06 '23 15:10 jvanst

@jvanst Good catch! Thanks for the PR. Would you mind adding some tests for this?

ivome avatar Oct 09 '23 13:10 ivome

@ivome @jvanst very important changes, any news on this pr?

Squarix avatar May 23 '24 12:05 Squarix

Obsolete with #92 merged

ivome avatar May 28 '24 16:05 ivome