search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.19k stars 2.77k forks source link

Monday.com sends a gigantic content-security-policy header that breaks the ability to add it as a remote schema... #9296

Open commandodev opened 1 year ago

commandodev commented 1 year ago

Version Information

Server Version: CLI Version (for CLI related issue):

Environment

docker compose

What is the current behaviour?

I'm trying to add https://api.monday.com/v2 as a remote schema. I see this in the UI image

And this in the logs:

"operation": {
      "error": {
        "code": "remote-schema-error",
        "error": "HTTP exception occurred while sending the request to \"https://api.monday.com/v2\"",
        "internal": {
          "message": "Overlong headers",
          "request": {
            "host": "api.monday.com",
            "method": "POST",
            "path": "/v2",
            "port": 443,
            "queryString": "",
            "requestHeaders": {
              "Authorization": "<REDACTED>",
              "Content-Type": "application/json",
              "User-Agent": "hasura-graphql-engine/v2.15.2",
              "X-B3-ParentSpanId": "eb5bc2608e8d14d5",
              "X-B3-SpanId": "dfd06d2a9f5ac82d",
              "X-B3-TraceId": "fe79b72e5d26118a2ca670a3b31a3415"
            },
            "responseTimeout": "ResponseTimeoutMicro 60000000",
            "secure": true
          },
          "type": "http_exception"
        },
        "path": "$.args"
      },

And so I can't add Monday as a remote schema

What is the expected behaviour?

How to reproduce the issue?

  1. Try and add the graphql API above (you'll need an API key)

Screenshots or Screencast

Please provide any traces or logs that could help here.

I suspect the offending party is this header:

content-security-policy: frame-ancestors https://monday.com https://*.monday.com https://bigbrain.me https://*.bigbrain.me https://teams.microsoft.com https://*.teams.microsoft.com https://*.microsoftonline.com https://*.office365.com https://*.microsoft.com https://webbyawards.com https://www.webbyawards.com https://msteams.backend.monday.app https://monday.lightning.force.com https://monday.force.com https://www.office.com https://*.www.office.com https://outlook.office.com https://outlook-sdf.office.com https://outlook.office365.com https://outlook-sdf.office365.com https://outlook.live.com https://outlook-sdf.live.com https://app.eu.pendo.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.monday.com https://webpack.llama.fan:3444 https://*.microsoft.com https://*.hsforms.com https://*.pusher.com https://accounts.google.com https://ajax.googleapis.com https://api.embed.ly https://apis.google.com https://app.box.com https://appvizer.one/ariadne/v1/ariadne.js https://bat.bing.com https://cdn.broadcast.am https://cdn.pdst.fm https://cdn.simpo.io/actionbar.js https://cdn.simpo.io/simpo-client.js https://cdn.taboola.com https://cdn.walkme.com https://cdnjs.cloudflare.com https://code.highcharts.com https://connect.facebook.net https://ct.capterra.com https://d18vk66ftlazd2.cloudfront.net https://d2c7xlmseob604.cloudfront.net https://edge.fullstory.com https://rs.fullstory.com https://googleads.g.doubleclick.net https://js.hsforms.net https://js.live.net https://maps.googleapis.com https://monday.com https://s.pinimg.com https://s.ytimg.com https://snap.licdn.com https://snippet.growsumo.com https://songbird.cardinalcommerce.com https://static.cloudflareinsights.com https://static.zdassets.com https://tpc.googlesyndication.com https://translate.googleapis.com https://*.zopim.com https://ws.bluesnap.com https://www.dropbox.com https://www.google-analytics.com https://www.google.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com https://bigbrain.me https://*.bigbrain.me https://informer-cdn.monday.com https://cdn.eu.pendo.io https://app.eu.pendo.io https://data.eu.pendo.io https://pendo-eu-static-6485021788340224.storage.googleapis.com https://js.appboycdn.com/web-sdk/3.2/appboy.no-amd.min.js https://js.appboycdn.com/web-sdk/3.2/appboy.min.js https://sdk.iad-06.braze.com https://*.cdn2.monday.app https://microfrontends.monday.com https://js.braintreegateway.com https://assets.braintreegateway.com https://*.paypal.com https://cdn.monday.com https://browser.sentry-cdn.com https://*.hotjar.com https://static.ads-twitter.com https://analytics.twitter.com https://analytics.tiktok.com https://s.yimg.jp/images/listing/tool/cv/ytag.js https://trc.taboola.com https://pips.taboola.com https://cds.taboola.com https://cdn.servicebell.com https://api.servicebell.com wss://api.servicebell.com wss://ws.servicebell.com; worker-src 'self' 'unsafe-inline' blob:; connect-src 'self' https://*.monday.com https://monday.com wss://webpack.llama.fan:3444 https://webpack.llama.fan:3444 https://grsm.io https://forms.hsforms.com https://*.algolia.net https://*.algolianet.com https://bat.bing.com https://*.braze.com https://api.smartling.com https://us-central1-adaptive-growth.cloudfunctions.net https://appvizer.one https://www.facebook.com https://graph.microsoft.com https://graph.facebook.com https://api.giphy.com https://ct.pinterest.com https://storage.monday.app https://trc-events.taboola.com https://broadcast.am https://stats.g.doubleclick.net https://rs.fullstory.com https://*.cloudfront.net https://dapulse-res.cloudinary.com https://static.cloudflareinsights.com https://*.bigbrain.me https://www.dropbox.com https://www.googletagmanager.com https://ipinfo.io https://*.cardinalcommerce.com https://www.bluesnap.com https://connect.facebook.net https://app.box.com https://code.highcharts.com https://js.live.net https://monday.zendesk.com https://static.zdassets.com https://ekr.zdassets.com https://ekr.zendesk.com https://maps.googleapis.com wss://*.pusher.com https://*.pusher.com wss://*.zopim.com https://*.zopim.com https://www.google-analytics.com https://api.simpo.io https://cdn.simpo.io https://zh081jts88wj.statuspage.io https://www.googleapis.com https://cdn.eu.pendo.io https://app.eu.pendo.io https://data.eu.pendo.io https://pendo-eu-static-6485021788340224.storage.googleapis.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com https://*.paypal.com https://*.sentry.io https://cdn.jsdelivr.net https://prod-use1-crm-billing.s3.amazonaws.com https://prod-use1-crm-communication.s3.amazonaws.com https://files-monday-com.s3.amazonaws.com https://microfrontends.monday.com https://*.hotjar.com https://*.hotjar.io https://static.ads-twitter.com https://analytics.twitter.com https://analytics.tiktok.com https://s.yimg.jp/images/listing/tool/cv/ytag.js https://trc.taboola.com https://pips.taboola.com https://cds.taboola.com https://cdn.servicebell.com https://api.servicebell.com wss://api.servicebell.com wss://*.hotjar.com wss://ws.servicebell.com https://rum.browser-intake-datadoghq.eu https://session-replay.browser-intake-datadoghq.eu;

More here: https://github.com/snoyberg/http-client/issues/35

Any possible solutions/workarounds you're aware of?

Keywords

remote schema HTTP exception

adas98012 commented 1 year ago

@tirumaraiselvan Tagging you for visibility.

rahulagarwal13 commented 1 year ago

Thanks for reporting @commandodev , let us look into it and get back to you.

tirumaraiselvan commented 1 year ago

As you have noted in the issue, there is a hard limitation in http-client (which is used by wreq) of 4k bytes for headers: https://github.com/snoyberg/http-client/blob/master/http-client/Network/HTTP/Client/Connection.hs#L54

This is to prevent memory exhaustion: https://s3.amazonaws.com/haddock.stackage.org/nightly-2022-12-17/http-client-0.7.13.1/Network-HTTP-Client.html#v:OverlongHeaders

Is there any way to raise a ticket with Monday.com to reduce the size of their headers...it doesn't seem performant to have such huge headers?