RetailCRM-Mirror/graphql-php
1
0
Fork 0
mirror of https://github.com/retailcrm/graphql-php.git synced 2024-11-22 12:56:05 +03:00
Code Issues Projects Releases Wiki Activity
009cdecb94
graphql-php/docs/security.md
Vladimir Razuvaev 99356f7faf Docs on security
2017-08-18 20:56:47 +07:00

3.0 KiB
Raw Blame History

Query Complexity Analysis

This is a PHP port of Query Complexity Analysis in Sangria implementation.

Complexity analysis is a separate validation rule which calculates query complexity score before execution. Every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the query is the sum of all field scores. For example, the complexity of introspection query is 109.

If this score exceeds a threshold, a query is not executed and an error is returned instead.

Complexity analysis is disabled by default. To enabled it, add validation rule:

<?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\QueryComplexity;
use GraphQL\Validator\DocumentValidator;

$rule = new QueryComplexity($maxQueryComplexity = 100);
DocumentValidator::addRule($rule);

GraphQL::executeQuery(/*...*/);

This will set the rule globally. Alternatively you can provide validation rules per execution.

To customize field score add complexity function to field definition:

<?php
use GraphQL\Type\Definition\Type;
use GraphQL\Type\Definition\ObjectType;

$type = new ObjectType([
    'name' => 'MyType',
    'fields' => [
        'someList' => [
            'type' => Type::listOf(Type::string()),
            'args' => [
                'limit' => [
                    'type' => Type::int(),
                    'defaultValue' => 10
                ]
            ],
            'complexity' => function($childrenComplexity, $args) {
                return $childrenComplexity * $args['limit'];
            }
        ]
    ]
]);

Limiting Query Depth

This is a PHP port of Limiting Query Depth in Sangria implementation. For example max depth of the introspection query is 7.

It is disabled by default. To enable it, add following validation rule:

<?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\QueryDepth;
use GraphQL\Validator\DocumentValidator;

$rule = new QueryDepth($maxDepth = 10);
DocumentValidator::addRule($rule);

GraphQL::executeQuery(/*...*/);

This will set the rule globally. Alternatively you can provide validation rules per execution.

Disabling Introspection

This is a PHP port of graphql-disable-introspection. It is a separate validation rule which prohibits queries that contain __type or __schema fields.

Introspection is enabled by default. To disable it, add following validation rule:

<?php
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\DisableIntrospection;
use GraphQL\Validator\DocumentValidator;

DocumentValidator::addRule(new DisableIntrospection());

GraphQL::executeQuery(/*...*/);

This will set the rule globally. Alternatively you can provide validation rules per execution.