Bug: Cannot limit number of results using auth directive to prevent malicious queries

Issues GraphQL
, , ,
1

We are trying to prevent users from requesting too many documents by setting a big number in first argument.

What edition and version of Dgraph are you using?

v21.03.1

Have you tried reproducing the issue with the latest release?

Yes, the bug can be reproduced in Dgraph Cloud too.

Steps to reproduce the issue (paste the query/schema if possible)

Try this schema:

type Todo
  @auth(
    query: {
      rule: """
      query {
          queryTodo(first: 2) {
              id
          }
      }
      """
    }
  ) {
  id: ID!
  text: String! @search(by: [term])
  owner: String! @search(by: [hash])
}

And after that add more than 2 Todo.
After running this query: query { queryTodo { id } }
The result is :

 "queryTodo": [
      {
        "id": "0x4c6cd2ed"
      },
      {
        "id": "0x4c6cd2ee"
      },
      {
        "id": "0x4c6cd2ef"
      },
      {
        "id": "0x4c6cd2f0"
      }
    ]

Expected behavior and actual result.

As we have used first: 2 in auth directive we expect only 2 results:

   "queryTodo": [
      {
        "id": "0x4c6cd2ed"
      },
      {
        "id": "0x4c6cd2ee"
      }
    ]

You can checkout this bug here:
https://green-pine.us-east-1.aws.cloud.dgraph.io/graphql

1 Like
3

I think this does not work for a somewhat simple reason. If you put a limit in the auth rule you might be actually blocking data you want to get.

Consider your example above. The auth rule also controls the getTodo. So if you always limit it to two you will only ever be able to read 0x4c6cd2ed and 0x4c6cd2ee. So if you tried to do getToDo(id: "0x4c6cd2ef") { id } you would be blocked.

So the solution is not this in an auth rule, but a new feature to put a max limit somewhere for a generated query*

4

Thanks Anthony. You are right but even this method is not working and even by using that auth directive I get all results.
We need this feature. right now what we did to prevent malicious queries is using a timeout limit in alpha servers and also setting a request size and response size limit to prevent crawling our data.

2 Likes
5

Interesting. That makes sense. I guess @auth is just really a filter. Agreed, there needs to be a way to stop this. We can create a feature request for this, but I don’t know that Dgraph cares about backend security at this point.

J

6

I’d really like this feature as I’d like to replicate functionality that exists in https://ghost.org/ blogs, where users have access to differing amounts of content depending on their logged in status and membership status.

What I’d like to do is:

  • If a user is not logged in, i.e. no JWT provided, then they can only query for the first 10 items
  • If a user is logged in, then they can query for the first 100 items
  • If a user is logged in and a member, then they can query for all items

EDIT: Created a feature request on Github: Feat: Limit results using @auth directive · Issue #8124 · dgraph-io/dgraph · GitHub

1 Like