Injection attacks

I’m working on a Node.js project with an Apollo GraphQL server and Dgraph with DQL. I’d really like to allow users to specify precisely which edges to query in Dgraph.

For example, suppose I have a simple User type in DQL:

type User  {
  firstName
  lastName
  emailAddress
  phoneNumber
}

firstName: string .
lastName: string .
emailAddress: string .
phoneNumber: string .

And suppose my server has received a request with a list of desired edges, which I have confirmed are valid User edges:

const edges = ['firstName', 'emailAddress']

Will my database be vulnerable to an injection attack if I do the following?

const query = `
  users(func: type(User)) {
    ${edges.join('\n')}
  }
`

const response = await txn.query(query)
return response.getJson().users

If you clean up the query during the check if they are valid or not, you won’t have any problem. But if you expose that variable for the user, he could only “inject” not allowed edges. But He can’t do any harm.

1 Like