[jira] [Created] (SLING-12198) Extending sling.graphql.engine to allow passing custom graphql ParserOptions

Mon, 11 Dec 2023 14:07:17 -0800 

Andrzej Kubas created SLING-12198:
-------------------------------------

             Summary: Extending sling.graphql.engine to allow passing custom 
graphql ParserOptions
                 Key: SLING-12198
                 URL: https://issues.apache.org/jira/browse/SLING-12198
             Project: Sling
          Issue Type: Improvement
          Components: GraphQL
    Affects Versions: GraphQL Core 0.0.24
            Reporter: Andrzej Kubas


The graphql-java crates default ParserOptions(if not passed with 
ExecutionInput#graphQLContext) while executing GraphQL query. 

[https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/ParseAndValidate.java#L67]

[https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/parser/ParserOptions.java#L35]

That could lead to 'Denial Of Service' InvalidSyntax error while executing 
GraphQL complex queries.

 

However, there should be a way to set graphql-java execution up with custom 
values of ParserOprions.

[https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L208]

[https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L202]

https://github.com/apache/sling-org-apache-sling-graphql-core/blob/org.apache.sling.graphql.core-0.0.24/src/main/java/org/apache/sling/graphql/core/engine/DefaultQueryExecutor.java#L155

 

That should help to orchestrate custom graphql-java executions for complex 
GraphQL queries.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to