Closes netbox-community#17288: Limit the number of aliases within a G…

…raphQL API requests to 10 (netbox-community#17329) * Closes netbox-community#17288: Limit the number of aliases within a GraphQL API request to 10 * Introduce GRAPHQL_MAX_ALIASES config parameter
mmhuang · Sep 2, 2024 · 56f110c · 56f110c
1 parent 31d5d8c
commit 56f110c
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 11 deletions.
diff --git a/docs/configuration/graphql-api.md b/docs/configuration/graphql-api.md
@@ -0,0 +1,17 @@
+# GraphQL API Parameters
+
+## GRAPHQL_ENABLED
+
+!!! tip "Dynamic Configuration Parameter"
+
+Default: True
+
+Setting this to False will disable the GraphQL API.
+
+---
+
+## GRAPHQL_MAX_ALIASES
+
+Default: 10
+
+The maximum number of queries that a GraphQL API request may contain.
diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md
@@ -122,16 +122,6 @@ The maximum amount (in bytes) of uploaded data that will be held in memory befor
 
 ---
 
-## GRAPHQL_ENABLED
-
-!!! tip "Dynamic Configuration Parameter"
-
-Default: True
-
-Setting this to False will disable the GraphQL API.
-
----
-
 ## JOB_RETENTION
 
 !!! tip "Dynamic Configuration Parameter"

diff --git a/docs/integrations/graphql-api.md b/docs/integrations/graphql-api.md
@@ -112,4 +112,4 @@ Authorization: Token $TOKEN
 
 ## Disabling the GraphQL API
 
-If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/miscellaneous.md#graphql_enabled) configuration parameter to False and restarting NetBox.
+If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/graphql-api.md#graphql_enabled) configuration parameter to False and restarting NetBox.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -109,6 +109,7 @@ nav:
         - Required Parameters: 'configuration/required-parameters.md'
         - System: 'configuration/system.md'
         - Security: 'configuration/security.md'
+        - GraphQL API: 'configuration/graphql-api.md'
         - Remote Authentication: 'configuration/remote-authentication.md'
         - Data & Validation: 'configuration/data-validation.md'
         - Default Values: 'configuration/default-values.md'

diff --git a/netbox/netbox/graphql/schema.py b/netbox/netbox/graphql/schema.py
@@ -1,5 +1,7 @@
 import strawberry
+from django.conf import settings
 from strawberry_django.optimizer import DjangoOptimizerExtension
+from strawberry.extensions import MaxAliasesLimiter
 from strawberry.schema.config import StrawberryConfig
 
 from circuits.graphql.schema import CircuitsQuery
@@ -37,5 +39,6 @@ class Query(
     config=StrawberryConfig(auto_camel_case=False),
     extensions=[
         DjangoOptimizerExtension,
+        MaxAliasesLimiter(max_alias_count=settings.GRAPHQL_MAX_ALIASES),
     ]
 )
diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py
@@ -119,6 +119,7 @@
 EXEMPT_VIEW_PERMISSIONS = getattr(configuration, 'EXEMPT_VIEW_PERMISSIONS', [])
 FIELD_CHOICES = getattr(configuration, 'FIELD_CHOICES', {})
 FILE_UPLOAD_MAX_MEMORY_SIZE = getattr(configuration, 'FILE_UPLOAD_MAX_MEMORY_SIZE', 2621440)
+GRAPHQL_MAX_ALIASES = getattr(configuration, 'GRAPHQL_MAX_ALIASES', 10)
 HTTP_PROXIES = getattr(configuration, 'HTTP_PROXIES', None)
 INTERNAL_IPS = getattr(configuration, 'INTERNAL_IPS', ('127.0.0.1', '::1'))
 ISOLATED_DEPLOYMENT = getattr(configuration, 'ISOLATED_DEPLOYMENT', False)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -112,4 +112,4 @@ Authorization: Token $TOKEN

		## Disabling the GraphQL API

		If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/miscellaneous.md#graphql_enabled) configuration parameter to False and restarting NetBox.
		If not needed, the GraphQL API can be disabled by setting the [`GRAPHQL_ENABLED`](../configuration/graphql-api.md#graphql_enabled) configuration parameter to False and restarting NetBox.