New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service via Directive overloading #2888
Comments
#2549 should help out of the box as its expressely for that attack The default number of tokens is 15000. You test above should kicked out at 15000 tokens. Hmm perhaps this is because you are appending them together as We will look into this more. Thanks for reporting |
Thanks very much for reporting this problem. We did discover another problem in the ANTLR lexer that nullified out previous attempts to limit how many tokens get parsed. the ANTLR lexer is by design greedy and wants to get as many characters as it can before presenting them back to the parser. Certain grammar (like The end result is that even thought the parser had code to limit how many tokens it would process, the underlying lexer was driving CPU work that ended up in DOS territory before a callback to the parser could cause the limits to be applied. See #2892 |
I have asked in antlr/antlr4#3796 for more ANLTR info here so we can better at this |
Hi @bbakerman, |
Closed by #2892 |
Also closed by #2902 and #2897 (backports). Thanks @bbakerman ! |
Hello team,
I've discovered that graphql-java is affected by Denial of Service via Directives overloading by default, and there is no way to configure it securely (afaik).
Query example:
I get errors by implemented security mechanisms, but these mechanisms don't help in this case:
MaxQueryDepthInstrumentation and MaxQueryComplexityInstrumentation don't solve the issue as well.
Query execution time increases by adding more directives:
The code snippet for testing:
The text was updated successfully, but these errors were encountered: