Locking down the GraphQL endpoint · guacsec/trustify · Discussion #642

chirino
Aug 6, 2024

I noticed that the project has a GraphQL endpoint.

I'm a big fan of GraphQL for locked down aka (white listed queries). I'm not a fan of it for ad-hoc queries because It's typically easy to construct queries that can DOS your app. So do we have any strategies to mitigate this issue?

Replies: 5 comments 5 replies

i386x
Aug 9, 2024
Collaborator

that can DOS your app.

Hijacking the discussion. Recently I found this commit and I am a bit afraid if someone can upload hand-crafted SBOMs and then initiate delete operation with an intention to DOS application on the worst gc performance scenario? Based on theory, a (directed) graph with N nodes can have at most N*N edges so traversing such a graph-like data structure, like the one stored in Postgres database, may also require N*N operations. On the other hand the same number of operations can be probably needed when storing a sinister SBOMs to the database so my concerns are probably just a false alarm. What do you think?