Summary
One can pass limit: null to GraphQL queries to bypass the configured maximum of 1000 here:
|
const limit = createIntScalar({ |
|
name: 'Limit', |
|
description: 'Limit custom scalar type', |
|
maximum: 1000 |
|
}) |
Details
I tried to fix this via validate in createIntScalar, but it doesn't run if we pass null.
I also tried to set a default value in our typedefs, but it's only used if the argument is not given at all.
Guess we have to use a raw GraphQLScalarType definition to fix this.
PoC
query {
items(limit: null) {
items {
id
}
cursor
}
}this returns 3573 items, more than the maximum
Impact
Maybe DoS, but not sure, didn't test in prod. There are 10819 items in my local db, so it does not return all items, but maybe only because of filters, so it might still actually go through the whole table on the server.
ekzyis Reporter
Summary
One can pass
limit: nullto GraphQL queries to bypass the configured maximum of 1000 here:stacker.news/api/resolvers/index.js
Lines 51 to 55 in 6179ffb
Details
I tried to fix this via
validateincreateIntScalar, but it doesn't run if we pass null.I also tried to set a default value in our typedefs, but it's only used if the argument is not given at all.
Guess we have to use a raw
GraphQLScalarTypedefinition to fix this.PoC
this returns 3573 items, more than the maximum
Impact
Maybe DoS, but not sure, didn't test in prod. There are 10819 items in my local db, so it does not return all items, but maybe only because of filters, so it might still actually go through the whole table on the server.