Injection attacks

tron · May 22, 2021, 6:47am

I’m working on a Node.js project with an Apollo GraphQL server and Dgraph with DQL. I’d really like to allow users to specify precisely which edges to query in Dgraph.

For example, suppose I have a simple User type in DQL:

type User  {
  firstName
  lastName
  emailAddress
  phoneNumber
}

firstName: string .
lastName: string .
emailAddress: string .
phoneNumber: string .

And suppose my server has received a request with a list of desired edges, which I have confirmed are valid User edges:

const edges = ['firstName', 'emailAddress']

Will my database be vulnerable to an injection attack if I do the following?

const query = `
  users(func: type(User)) {
    ${edges.join('\n')}
  }
`

const response = await txn.query(query)
return response.getJson().users

MichelDiz · May 22, 2021, 1:12pm

If you clean up the query during the check if they are valid or not, you won’t have any problem. But if you expose that variable for the user, he could only “inject” not allowed edges. But He can’t do any harm.

Topic		Replies	Views
Dgraph DQL Injection Prevention GraphQL kind:question	1	555	March 26, 2021
Confused about GraphQL vs DQL client usage Dgraph kind:question	3	495	March 28, 2023
Confirm or deny basic understanding of Dgraph (especially GraphQL / DQL) Dgraph kind:question	3	446	September 11, 2021
How can we secure the GraphQL API from malicious queries in Dgraph? GraphQL graphql , kind:question , dgraph	7	1281	July 31, 2021
Query Vars Types Dgraph Clients dgraph , kind:enhancement , status:accepted , ticket:created	2	548	December 1, 2020

Injection attacks

Related Topics