Protects graphene, graphql or strawberry against malicious queries
Project description
What does this project solve?
It provides protection against malicious grapqhl requests (resource exhaustion). Despite its name it can be used with graphql (pure), graphene, strawberry. It is implemented via a custom ValidationRule, supports error reporting and early bail out strategies as well as limits for single fields
Installation
pip install graphene-protector
Integration
Django
This adds to django the following setting:
- GRAPHENE_PROTECTOR_DEPTH_LIMIT: max depth
- GRAPHENE_PROTECTOR_SELECTIONS_LIMIT: max selections
- GRAPHENE_PROTECTOR_COMPLEXITY_LIMIT: max (depth * selections)
Integrate with:
graphene:
# schema.py
# replace normal Schema import with:
from graphene_protector.django.graphene import Schema
schema = Schema(query=Query, mutation=Mutation)
and add in django settings to GRAPHENE
GRAPHENE = {
...
"SCHEMA": "path.to.schema",
}
or strawberry:
# schema.py
# replace normal Schema import with:
from graphene_protector.django.strawberry import Schema
schema = Schema(query=Query, mutation=Mutation)
manual way (note: import from django for including defaults from settings)
from graphene_protector.django.graphene import Schema
# or
# from graphene_protector.django.strawberry import Schema
schema = Schema(query=Query)
result = schema.execute(query_string)
manual way with custom default Limits
from graphene_protector import Limits
from graphene_protector.django.graphene import Schema
# or
# from graphene_protector.django.strawberry import Schema
schema = graphene.Schema(query=Query, limits=Limits(complexity=None))
result = schema.execute(
query_string
)
Graphene & Strawberry
limits keyword with Limits object is supported.
from graphene_protector import Limits
from graphene_protector.graphene import Schema
# or
# from graphene_protector.strawberry import Schema
schema = Schema(query=Query, limits=Limits(depth=20, selections=None, complexity=100))
result = schema.execute(query_string)
pure graphql
from graphene_protector import LimitsValidationRule
from graphql.type.schema import Schema
schema = Schema(
query=Query,
)
query_ast = parse("{ hello }")
self.assertFalse(validate(schema, query_ast, [LimitsValidationRule]))
or with custom defaults
from graphene_protector import Limits, LimitsValidationRule
from graphql.type.schema import Schema
class CustomLimitsValidationRule(LimitsValidationRule):
default_limits = Limits(depth=20, selections=None, complexity=100)
schema = Schema(
query=Query,
)
query_ast = parse("{ hello }")
self.assertFalse(validate(schema, query_ast, [LimitsValidationRule]))
strawberry extension variant
from graphene_protector import Limits
from graphene_protector.strawberry import CustomGrapheneProtector
from strawberry import Schema
schema = Schema(query=Query, extensions=[CustomGrapheneProtector(Limits(depth=20, selections=None, complexity=100))])
result = schema.execute(query_string)
or with custom defaults via Mixin
from graphene_protector import Limits, SchemaMixin, LimitsValidationRule
from graphql.type.schema import Schema
class CustomSchema(SchemaMixin, Schema):
default_limits = Limits(depth=20, selections=None, complexity=100)
schema = CustomSchema(
query=Query,
)
query_ast = parse("{ hello }")
self.assertFalse(validate(schema, query_ast, [LimitsValidationRule]))
strawberry extension variant with mixin
from graphene_protector import Limits, SchemaMixin
from graphene_protector.strawberry import CustomGrapheneProtector
from strawberry import Schema
class CustomSchema(SchemaMixin, Schema):
default_limits = Limits(depth=20, selections=None, complexity=100)
schema = Schema(query=Query, extensions=[CustomGrapheneProtector()])
result = schema.execute(query_string)
Limits
A Limits object has following attributes:
- depth: max depth (default: 20, None disables feature)
- selections: max selections (default: None, None disables feature)
- complexity: max (depth subtree * selections subtree) (default: 100, None disables feature)
they overwrite django settings if specified.
decorating single fields
Sometimes single fields should have different limits:
person1 = Limits(depth=10)(graphene.Field(Person))
Limits are inherited for unspecified parameters
one-time disable limit checks
to disable checks for one operation use check_limits=False (works for: execute, execute_async (if available), subscribe (if available)):
from graphene_protector import Limits
from graphene_protector.graphene import Schema
schema = Schema(query=Query, limits=Limits(depth=20, selections=None, complexity=100))
result = schema.execute(query_string, check_limits=False)
Development
I am open for new ideas. If you want some new or better algorithms integrated just make a PR
related projects:
- secure-graphene: lacks django integration, some features and has a not so easy findable name. But I accept: it is the "not invented here"-syndrome
TODO
- test mutations
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for graphene_protector-0.9.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e6450af93fff1f89a6605bf0a979b5830d40c78fff33e8ce9a980aad6bec4c91 |
|
| MD5 | c8c3ff38b63543ec636b9ba07c4b9633 |
|
| BLAKE2b-256 | dcf5d4ce1a989f38fd33fdffdd6ed7abe94fb641c3744e2a9d3c43a8cf31c1c8 |
