From 56f110c2a943f5531e11459e786958e75f69ab26 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Mon, 2 Sep 2024 09:30:41 -0400 Subject: [PATCH] Closes #17288: Limit the number of aliases within a GraphQL API requests to 10 (#17329) * Closes #17288: Limit the number of aliases within a GraphQL API request to 10 * Introduce GRAPHQL_MAX_ALIASES config parameter --- docs/configuration/graphql-api.md | 17 +++++++++++++++++ docs/configuration/miscellaneous.md | 10 ---------- docs/integrations/graphql-api.md | 2 +- mkdocs.yml | 1 + netbox/netbox/graphql/schema.py | 3 +++ netbox/netbox/settings.py | 1 + 6 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 docs/configuration/graphql-api.md diff --git a/docs/configuration/graphql-api.md b/docs/configuration/graphql-api.md new file mode 100644 index 000000000..a792da544 --- /dev/null +++ b/docs/configuration/graphql-api.md @@ -0,0 +1,17 @@ +# GraphQL API Parameters + +## GRAPHQL_ENABLED + +!!! tip "Dynamic Configuration Parameter" + +Default: True + +Setting this to False will disable the GraphQL API. + +--- + +## GRAPHQL_MAX_ALIASES + +Default: 10 + +The maximum number of queries that a GraphQL API request may contain. diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md index 1f0a2781b..124de3037 100644 --- a/docs/configuration/miscellaneous.md +++ b/docs/configuration/miscellaneous.md @@ -122,16 +122,6 @@ The maximum amount (in bytes) of uploaded data that will be held in memory befor --- -## GRAPHQL_ENABLED - -!!! tip "Dynamic Configuration Parameter" - -Default: True - -Setting this to False will disable the GraphQL API. - ---- - ## JOB_RETENTION !!! tip "Dynamic Configuration Parameter" diff --git a/docs/integrations/graphql-api.md b/docs/integrations/graphql-api.md index 3ccb4d4a1..425c3adda 100644 --- a/docs/integrations/graphql-api.md +++ b/docs/integrations/graphql-api.md @@ -112,4 +112,4 @@ Authorization: Token $TOKEN ## Disabling the GraphQL API -If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/miscellaneous.md#graphql_enabled) configuration parameter to False and restarting NetBox. +If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/graphql-api.md#graphql_enabled) configuration parameter to False and restarting NetBox. diff --git a/mkdocs.yml b/mkdocs.yml index 072c564e8..656a2e03f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -109,6 +109,7 @@ nav: - Required Parameters: 'configuration/required-parameters.md' - System: 'configuration/system.md' - Security: 'configuration/security.md' + - GraphQL API: 'configuration/graphql-api.md' - Remote Authentication: 'configuration/remote-authentication.md' - Data & Validation: 'configuration/data-validation.md' - Default Values: 'configuration/default-values.md' diff --git a/netbox/netbox/graphql/schema.py b/netbox/netbox/graphql/schema.py index 2b4c83405..d3f8c5dd7 100644 --- a/netbox/netbox/graphql/schema.py +++ b/netbox/netbox/graphql/schema.py @@ -1,5 +1,7 @@ import strawberry +from django.conf import settings from strawberry_django.optimizer import DjangoOptimizerExtension +from strawberry.extensions import MaxAliasesLimiter from strawberry.schema.config import StrawberryConfig from circuits.graphql.schema import CircuitsQuery @@ -37,5 +39,6 @@ schema = strawberry.Schema( config=StrawberryConfig(auto_camel_case=False), extensions=[ DjangoOptimizerExtension, + MaxAliasesLimiter(max_alias_count=settings.GRAPHQL_MAX_ALIASES), ] ) diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index 2c0130275..3601fde9f 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -119,6 +119,7 @@ EVENTS_PIPELINE = getattr(configuration, 'EVENTS_PIPELINE', ( EXEMPT_VIEW_PERMISSIONS = getattr(configuration, 'EXEMPT_VIEW_PERMISSIONS', []) FIELD_CHOICES = getattr(configuration, 'FIELD_CHOICES', {}) FILE_UPLOAD_MAX_MEMORY_SIZE = getattr(configuration, 'FILE_UPLOAD_MAX_MEMORY_SIZE', 2621440) +GRAPHQL_MAX_ALIASES = getattr(configuration, 'GRAPHQL_MAX_ALIASES', 10) HTTP_PROXIES = getattr(configuration, 'HTTP_PROXIES', None) INTERNAL_IPS = getattr(configuration, 'INTERNAL_IPS', ('127.0.0.1', '::1')) ISOLATED_DEPLOYMENT = getattr(configuration, 'ISOLATED_DEPLOYMENT', False)