undefined | Better HN

0 pointsjoshspankit6y ago0 comments

> If you don't understand your network then graphql is an easy vector for DOS (speaking from experience).

When GraphQL came out I was quite honestly shocked that this didn’t get more attention. It’s essentially trivial to not notice that a query could cause the server to loop heavily. User > Friends > Friends = easily 10000 results, and that’s the simplest top-of-the-head example I can think of. When an object has even 3 or 4 possible relationships, there are exponentially more attack vectors.

And on a minor note: the fact that objects are returned inline makes a query for duplicates that much larger in KB.

0 comments

1 comments · 1 top-level

highmastdon6y ago

When you would’ve worked with GraphQL, which I assume you didn’t given your comment, you’d know that the design stage of a schema is one of the most important ones. In this case getting friends of friends, one can easily enforce pagination on the results and force a maximum of x friends. Furthermore, it’s not like REST or any other tech is immune to this way of DOSsing the server, however with REST this is just pushed to the client to perform 1+n+n*n queries. So either way, you’ll have to fix that problem.

Now, what does GraphQL _actually_ solve? For one, it gives proper documentation and ability to know what the client(s) are consuming. In turn allows client devs to develop their side much faster and independently from the backend. Where we used to have a lot of back and forth about the design of the api we can now model our interface according to the Business model and not have to accommodate for the limitations of a flatten structure. There are more advantages to GraphQL but it goes too far to elaborate in this comment

j / k navigate · click thread line to collapse