Skip to content

Add non-local and recursive selection limits #3238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sachindshinde merged 3 commits into from
Apr 7, 2025
Merged

Add non-local and recursive selection limits #3238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6578615
Certain query patterns may cause resource exhaustion
sachindshinde Apr 7, 2025
32622a4
patch rather than minor
clenfest Apr 7, 2025
efd0687
spelling mistakes
clenfest Apr 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .changeset/five-suits-drum.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
"@apollo/query-planner": patch
"@apollo/query-graphs": patch
"@apollo/federation-internals": patch
"@apollo/gateway": patch
---

Corrects a set of denial-of-service (DOS) vulnerabilities that made it possible for an attacker to render gateway inoperable with certain simple query patterns due to uncontrolled resource consumption. All prior-released versions and configurations are vulnerable.

See the associated GitHub Advisories [GHSA-q2f9-x4p4-7xmh](https://github.com/apollographql/federation/security/advisories/GHSA-q2f9-x4p4-7xmh) and [GHSA-p2q6-pwh5-m6jr](https://github.com/apollographql/federation/security/advisories/GHSA-p2q6-pwh5-m6jr) for more information.
1 change: 1 addition & 0 deletions .cspell/cspell-dict.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ quer
Queryf
reacheable
reasonse
rebaseable
recusive
redeclaration
refered
Expand Down
33 changes: 32 additions & 1 deletion gateway-js/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,16 @@ export class ApolloGateway implements GatewayInterface {
private experimental_didResolveQueryPlan?: Experimental_DidResolveQueryPlanCallback;
// Used to communicate supergraph updates
private experimental_didUpdateSupergraph?: Experimental_DidUpdateSupergraphCallback;
// Used to disable the recursive selections limit in query planner. Setting
// this to `true` is not advised if gateway is being used to serve queries
// outside your control, as doing so will leave query planner susceptible to
// denial-of-service attacks.
private recursiveSelectionsLimitDisabled: boolean;
// Used to disable the non-local selections limit in query planner. Setting
// this to `true` is not advised if gateway is being used to serve queries
// outside your control, as doing so will leave query planner susceptible to
// denial-of-service attacks.
private nonLocalSelectionsLimitDisabled: boolean;
// how often service defs should be loaded/updated
private pollIntervalInMs?: number;
// Functions to call during gateway cleanup (when stop() is called)
Expand All @@ -180,6 +190,22 @@ export class ApolloGateway implements GatewayInterface {
this.experimental_didUpdateSupergraph =
config?.experimental_didUpdateSupergraph;

// Check environment variables to see whether the query planner's recursive
// selections limit should be disabled. Setting this variable to `true` is
// not advised if gateway is being used to serve queries outside your
// control, as doing so will leave query planner susceptible to
// denial-of-service attacks.
this.recursiveSelectionsLimitDisabled =
process.env.APOLLO_DISABLE_SECURITY_RECURSIVE_SELECTIONS_CHECK === 'true';

// Check environment variables to see whether the query planner's non-local
// selections limit should be disabled. Setting this variable to `true` is
// not advised if gateway is being used to serve queries outside your
// control, as doing so will leave query planner susceptible to
// denial-of-service attacks.
this.nonLocalSelectionsLimitDisabled =
process.env.APOLLO_DISABLE_SECURITY_NON_LOCAL_SELECTIONS_CHECK === 'true';

if (isManagedConfig(this.config)) {
this.pollIntervalInMs =
this.config.fallbackPollIntervalInMs ?? this.config.pollIntervalInMs;
Expand Down Expand Up @@ -806,7 +832,12 @@ export class ApolloGateway implements GatewayInterface {
{ operationName: request.operationName },
);
// TODO(#631): Can we be sure the query planner has been initialized here?
return this.queryPlanner!.buildQueryPlan(operation);
return this.queryPlanner!.buildQueryPlan(operation, {
recursiveSelectionsLimitDisabled:
this.recursiveSelectionsLimitDisabled,
nonLocalSelectionsLimitDisabled:
this.nonLocalSelectionsLimitDisabled,
});
} catch (err) {
recordExceptions(span, [err], this.config.telemetry);
span.setStatus({ code: SpanStatusCode.ERROR });
Expand Down
2 changes: 1 addition & 1 deletion internals-js/src/operations.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3650,7 +3650,7 @@ class InlineFragmentSelection extends FragmentSelection {
}
}

class FragmentSpreadSelection extends FragmentSelection {
export class FragmentSpreadSelection extends FragmentSelection {
private computedKey: string | undefined;

constructor(
Expand Down
1 change: 1 addition & 0 deletions query-graphs-js/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ export * from './pathContext';
export * from './conditionsCaching';
export * from './conditionsValidation';
export * from './mermaid';
export * from './nonLocalSelectionsEstimation';
Loading