search

ChilliCream / graphql-platform

Welcome to the home of the Hot Chocolate GraphQL server for .NET, the Strawberry Shake GraphQL client for .NET and Banana Cake Pop the awesome Monaco based GraphQL IDE.
https://chillicream.com
MIT License
5.26k stars 747 forks source link

No option to disable Cost Analyzer #7679

Open johan-lindqvist opened 3 weeks ago

johan-lindqvist commented 3 weeks ago

Product

Hot Chocolate

Version

14

Link to minimal reproduction

N/A

Steps to reproduce

We're using the AddGraphQLFunction() extension method in our project which in turn calls https://github.com/ChilliCream/graphql-platform/blob/ad8fdf0f4ed5cec45e8da34ea7e175fa3f66f9ee/src/HotChocolate/AspNetCore/src/AspNetCore/Extensions/HotChocolateAspNetCoreServiceCollectionExtensions.cs#L103 but there's no option to configure if I want to disable the default security exposed through the AddGraphQLFunction() extension method.

Some way to override the cost analyzer and disable it would be nice since we don't have any use for the cost directives.

What is expected?

The option to disable cost analyzer exists

What is actually happening?

No option to disable the cost analyzer exists

Relevant log output

No response

Additional context

No response

aidy-jenkins commented 3 weeks ago

Does this not have the desired effect?

services
   .AddGraphQLServer(...)
   .ModifyCostOptions(options => options.EnforceCostLimits = false)
johan-lindqvist commented 3 weeks ago

Does this not have the desired effect?

services .AddGraphQLServer(...) .ModifyCostOptions(options => options.EnforceCostLimits = false)

The schema still has @cost on all the mutations and queries even with this code.

michaelstaib commented 3 weeks ago

What is the issue you are facing with the cost spec?

johan-lindqvist commented 3 weeks ago

The issue is that there's no simple way to opt out of the Cost Analyzer if using the Azure Functions extension method.

There's not really an issue with the cost directive, but what's the motivation of having it included if every query has the same cost and the default value it's given is not used by any client? Maybe I'm missing the benefit of having the cost directive on all the queries and mutations on by default?

Seems like it should be an opt-in feature rather than an opt-out?

PascalSenn commented 2 weeks ago

The reason why its opt out is so users do not forget to enable it.

If you do not use persisted queries, the cost analyzer has to be enabled.

johan-lindqvist commented 2 weeks ago

The reason why its opt out is so users do not forget to enable it.

If you do not use persisted queries, the cost analyzer has to be enabled.

What's the reason for it having to be enabled? I feel like I'm missing something here

michaelstaib commented 2 weeks ago

The main reason is that it’s very easy to overwhelm an unsecured GraphQL server. If users can define any GraphQL request without limitations, a server can easily allocate 1-3 GB of memory per request, potentially causing instability or even crashes. We’ve frequently seen this in consulting scenarios, where clients with unsecured GraphQL servers were surprised by how quickly they became unresponsive under load.

Meta, the creator of GraphQL, addresses this risk with persisted operations. This approach only allows predefined requests from their applications to run on production servers, which is widely regarded as a best practice for secure and efficient GraphQL operation.

Similarly, companies with open GraphQL schemas, like GitHub or Shopify, employ complexity and cost analysis to ensure predictable and sustainable server performance under various load conditions.

Starting with Version 14, Hot Chocolate is preconfigured with default security settings for open GraphQL servers (like GitHub’s). This setup helps developers, even those new to GraphQL, run a secure server by default. The default policy in Hot Chocolate disables introspection in production, enforces cost limits, and restricts recursion depth to 3, providing a solid security baseline. While additional security measures can further strengthen an open GraphQL server, this default configuration offers strong initial protection.

johan-lindqvist commented 2 weeks ago

I see, that makes sense. I missed that the values were enforced as well by default. Then I guess the issue is that there's no way to disable the cost analyzer when using the AddGraphQLFunction() extension method. There's a way to disable the enforcing but not the cost analyzer.

I can see if I can make a PR to expose the disableDefaultSecurity flag.

johan-lindqvist commented 2 weeks ago

PR here: https://github.com/ChilliCream/graphql-platform/pull/7695