Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Denial of service attack

See original GitHub issue

It was very easy to craft a query that caused the playground to crash. It seems that this query took over 25 seconds to respond to, and the content of the response seems to be 18 MB (!)

query HeroAndFriends {
  hero {
    name
    friends {
      friends {
        friends {
          friends {
            friends {
              friends {
                friends {
                  friends {
                    friends {
                      name
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Subsequent queries result in 503 Service Unavailable.

Another worrying point is that there seem to be just a few unique characters, which are embedded recursively in the response. They could have been de-duplicated to avoid such a massive response.

Issue Analytics

State:
Created 7 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

4reactions

OlegIlyenkocommented, Mar 14, 2017

but rather how no effort is made to actually optimize DB querying

I would appreciate if you could elaborate on this statement and maybe provide some context. Are you talking about specific service you have in production?

I suggest that IDs should be memoized during a query and checked whether it has already been looked up within the same query to avoid unnecessary reading from disk multiple times.

If I understand your suggestion correctly, then this feature is already provided by sangria. I would recommend you to check the documentation of Fetch API (“Caching” subsection):

http://sangria-graphql.org/learn/#high-level-fetch-api

Or you can just ignore constructive criticism.

I don’t find this statement constructive 😃 If you believe that particular point, that you have raised, is being ignored, I would appreciate if you could repeat it and maybe describe it in more detail and how it relates to sangria implementation.

1reaction

benwilson512commented, Mar 14, 2017

@daliwali Is this is an issue with sangria or just a general criticism of GraphQL? If the former, you may want to avoid using public playgrounds on heroku as a benchmark of a technology. If the latter this may not be the most useful location for it.

Top Results From Across the Web

What is a denial of service attack (DoS) ? - Palo Alto Networks

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS...

Understanding Denial-of-Service Attacks | CISA - US-CERT

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due ...

Denial-of-service attack - Wikipedia

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable...

What is a denial-of-service (DoS) attack? - Cloudflare

A denial-of-service (DoS) attack is a malicious attempt to overwhelm an online service and render it unusable. Learn more about DoS attacks.

What is a Denial-of-Service Attack? - TechTarget

A denial-of-service (DoS) attack is a security threat that occurs when an attacker makes it impossible for legitimate users to access computer systems,...