[jira] [Commented] (SLING-12198) Extending sling.graphql.engine to allow passing custom graphql ParserOptions while executing GraphQL queries

Wed, 20 Dec 2023 09:04:40 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-12198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17799102#comment-17799102
 ] 

Lenard Palko commented on SLING-12198:
--------------------------------------

Added the following options to the OSGI config as only these are available in 
graphql-java 20.1 that is used in sling-graphql-core:
maxQueryTokens
maxWhitespaceTokens
 
There is one more option that would be useful to be added that could be 
impacted by the change in the above two options, but this option is only 
available in graphql-java 20.3, so first this would need to be updated:
maxQueryCharacters 
([https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/parser/ParserOptions.java#L24)]

> Extending sling.graphql.engine to allow passing custom graphql ParserOptions 
> while executing GraphQL queries
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-12198
>                 URL: https://issues.apache.org/jira/browse/SLING-12198
>             Project: Sling
>          Issue Type: Improvement
>          Components: GraphQL
>    Affects Versions: GraphQL Core 0.0.24
>            Reporter: Andrzej Kubas
>            Priority: Major
>
> The graphql-java crates default ParserOptions(if not passed with 
> ExecutionInput#graphQLContext) while executing GraphQL query. 
> [https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/ParseAndValidate.java#L67]
> [https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/parser/ParserOptions.java#L35]
> That could lead to 'Denial Of Service' InvalidSyntax error while executing 
> GraphQL complex queries.
>  
> However, there should be a way to set graphql-java execution up with custom 
> values of ParserOprions.
> [https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L208]
> [https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L202]
> https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L155
>  
> That should help to orchestrate custom graphql-java executions for complex 
> GraphQL queries.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to