Closes #17288: Limit the number of aliases within a GraphQL API requests to 10 (#17329)

* Closes #17288: Limit the number of aliases within a GraphQL API request to 10 * Introduce GRAPHQL_MAX_ALIASES config parameter
2025-12-19 03:42:25 -06:00 · 2024-09-02 09:30:41 -04:00
parent 5ce4a2aeb8
commit b413db87b3
6 changed files with 23 additions and 11 deletions
--- a/netbox/netbox/graphql/schema.py
+++ b/netbox/netbox/graphql/schema.py
@@ -1,5 +1,7 @@
 import strawberry
+from django.conf import settings
 from strawberry_django.optimizer import DjangoOptimizerExtension
+from strawberry.extensions import MaxAliasesLimiter
 from strawberry.schema.config import StrawberryConfig

 from circuits.graphql.schema import CircuitsQuery
@@ -37,5 +39,6 @@ schema = strawberry.Schema(
    config=StrawberryConfig(auto_camel_case=False),
    extensions=[
        DjangoOptimizerExtension,
+        MaxAliasesLimiter(max_alias_count=settings.GRAPHQL_MAX_ALIASES),
    ]
 )
--- a/netbox/netbox/settings.py
+++ b/netbox/netbox/settings.py
@@ -119,6 +119,7 @@ EVENTS_PIPELINE = getattr(configuration, 'EVENTS_PIPELINE', (
 EXEMPT_VIEW_PERMISSIONS = getattr(configuration, 'EXEMPT_VIEW_PERMISSIONS', [])
 FIELD_CHOICES = getattr(configuration, 'FIELD_CHOICES', {})
 FILE_UPLOAD_MAX_MEMORY_SIZE = getattr(configuration, 'FILE_UPLOAD_MAX_MEMORY_SIZE', 2621440)
+GRAPHQL_MAX_ALIASES = getattr(configuration, 'GRAPHQL_MAX_ALIASES', 10)
 HTTP_PROXIES = getattr(configuration, 'HTTP_PROXIES', None)
 INTERNAL_IPS = getattr(configuration, 'INTERNAL_IPS', ('127.0.0.1', '::1'))
 ISOLATED_DEPLOYMENT = getattr(configuration, 'ISOLATED_DEPLOYMENT', False)