[BUG] Stack overflow when using http clients against Dgraph's graphQL endpoint

Version: v21.12.0

The problem is that the Go HTTP client has a bug that panics with stack overflow due to recursions.

This issue is described in net/http: ReadRequest can stack overflow due to recursion with very large headers · Issue #45710 · golang/go · GitHub and CVE is net/http in Go before 1.15.12 and 1.16.x before 1.16.4... · CVE-2021-31525 · GitHub Advisory Database · GitHub

The problem here is that Dgraph is using Go 1.12!!! Therefore this BUG is included. see dgraph/go.mod at main · dgraph-io/dgraph · GitHub

This is a blocker to anyone who wants to reach Dgraph programmatically using the net/http Go library.

cc @MichelDiz @Raphael

I have created GitHub - droslean/dgraph-bug-stack-overflow: This is a replication of a stack overflow panic that occurs when trying to run a mutation against a Dgraph instance using Go http client. to replicate the bug. Please check.

This stack overflow seems to be occurring in the ‘shurcooL’ package itself: graphql/query.go at 3cf50f8a0a295163db1d360b4de28fb3cb874913 · shurcooL/graphql · GitHub

I’m not familiar with the ‘shurcooL’ package myself. Have you tried that mutation with Postman or Insomnia or other GraphQL clients?

Thanks @matthewmcneely . I tried to replicate and the issue is indeed in that library. I will check it with them.