-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
15 changed files
with
687 additions
and
706 deletions.
There are no files selected for viewing
50 changes: 50 additions & 0 deletions
50
...es/19_GraphQL/04_security_and_best_practices/05_recursive_or_complex_queries.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
--- | ||
title: Recursive or complex queries | ||
summary: Protecting against potentially malicious queries | ||
--- | ||
|
||
# Security & best practices | ||
|
||
[CHILDREN asList] | ||
|
||
## Recursive or complex queries | ||
|
||
GraphQL schemas can contain recursive types and circular dependencies. Recursive or overly complex queries can take up a lot of resources, | ||
and could have a high impact on server performance and even result in a denial of service if not handled carefully. | ||
|
||
Before parsing queries, if a query is found to have more than 500 nodes, it is rejected. While executing queries there is a default query depth limit of 15 for all schemas with no complexity limit. | ||
|
||
You can customise the node limit and query depth and complexity limits by setting the following configuration: | ||
|
||
**app/_config/graphql.yml** | ||
|
||
```yaml | ||
--- | ||
After: 'graphql-schema-global' | ||
--- | ||
SilverStripe\GraphQL\Schema\Schema: | ||
schemas: | ||
'*': | ||
config: | ||
max_query_nodes: 250 # default 500 | ||
max_query_depth: 20 # default 15 | ||
max_query_complexity: 100 # default unlimited | ||
``` | ||
[info] | ||
For calculating the query complexity, every field in the query gets a default score 1 (including ObjectType nodes). Total complexity of the query is the sum of all field scores. | ||
[/info] | ||
You can also configure these settings for individual schemas. This allows you to fine-tune the security of your custom public-facing schema without affecting the security of the schema used in the CMS. To do so, either replace `'*'` with the name of your schema in the yaml configuration above, or set the values under the `config` key for your schema using preferred file structure as defined in [configuring your schema](../getting_started/configuring_your_schema/). For example: | ||
|
||
**app/_graphql/config.yml** | ||
|
||
```yaml | ||
max_query_nodes: 250 | ||
max_query_depth: 20 | ||
max_query_complexity: 100 | ||
``` | ||
|
||
### Further reading | ||
|
||
[CHILDREN] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,96 +1,110 @@ | ||
--- | ||
title: Bug Reports | ||
summary: Report bugs or problems with SilverStripe, feature requests or other issues. | ||
title: Issues and Bug Reports | ||
summary: Report bugs or problems with Silverstripe CMS, feature requests or other issues. | ||
icon: bug | ||
--- | ||
|
||
# Contributing Issues and Opinions | ||
# Issues and Bug Reports | ||
|
||
## Reporting Bugs | ||
|
||
[alert] | ||
If you think you've found a security issue, please use [the specific process](#reporting-security-issues) for those. Do _not_ raise a security issue in GitHub. | ||
[/alert] | ||
|
||
If you have discovered a bug in Silverstripe CMS, we'd be glad to hear about it - | ||
well written bug reports can be half of the solution already! | ||
|
||
Silverstripe CMS uses [GitHub](https://github.com/) to manage bug reports. If you | ||
want to report a bug, you will need to [create a GitHub account](https://docs.github.com/en/get-started/onboarding/getting-started-with-your-github-account) | ||
and log in. | ||
|
||
Before submitting a bug: | ||
|
||
* Ask for assistance in our [community channels](https://www.silverstripe.org/community) if you're unsure if it's really a bug. | ||
* Search for similar, existing tickets. | ||
* Search for similar, existing issues. | ||
You can [list all issues across modules](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-core-issues), | ||
then add your search phrase at the start of the existing search filters (for example [all issues with label "type/ux"](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-open-ux-issues)) | ||
* Is this a security issue? Please follow our separate reporting guidelines below. | ||
* Which modules does this issue belong to? Each one has its own issue tracker. | ||
If you are unsure, [create an issue](https://github.com/silverstripe/silverstripe-framework/issues/new) on the the "framework" repository. | ||
* Note that [documentation issues](https://github.com/silverstripe/developer-docs/issues) are tracked in the "developer-docs" repository. | ||
* Try to reproduce your issue on a [clean installation](/getting_started/composer#using-development-versions), maybe the bug has already been fixed on an unreleased branch? | ||
* The bugtracker is not the place to discuss enhancements, please use | ||
the ["feature ideas" forum category](https://forum.silverstripe.org/c/feature-ideas) and our [community channels](https://www.silverstripe.org/community). | ||
Only log enhancement tickets if they gather a large interest in the community | ||
and the enhancement is likely to be implemented in the next couple of months. | ||
* Is this a security issue? Please follow our [security reporting guidelines](#reporting-security-issues) below. | ||
* Try to reproduce your issue on a [clean installation](/getting_started/composer#create-a-new-site) to rule out bugs in your own code. | ||
|
||
If the issue does look like a new bug: | ||
|
||
* Create an issue on the right module repository in GitHub | ||
* Describe the steps required to reproduce your issue, and the expected outcome. Unit tests, screenshots and screencasts can help here. | ||
* Describe your environment as detailed as possible: SilverStripe version, Browser, PHP version, Operating System, any installed SilverStripe modules. | ||
* *(optional)* [Submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) which fixes the issue. | ||
|
||
Lastly, don't get your hopes up too high. Unless your issue is a blocker | ||
affecting a large number of users, don't expect SilverStripe developers to jump | ||
onto it right way. Your issue is a starting point where others with the same | ||
problem can collaborate with you to develop a fix. | ||
* If you are unsure, [create an issue](https://github.com/silverstripe/silverstripe-framework/issues/new) on the the "framework" repository. | ||
* Note that [documentation issues](https://github.com/silverstripe/developer-docs/issues) are tracked in the "developer-docs" repository. | ||
* Describe the steps required to reproduce your issue, and the expected outcome. Example code, screenshots, and videos can help here. | ||
Be as clear as you can, but don't miss any steps out. Simply saying "create a page" is less useful than guiding us through the steps you're taking to create a page, for example. | ||
* If the bug is too complex to reproduce with some short code samples, please reproduce it in a public repository and provide a link to the repository along with steps for setting up and reproducing the bug using that repository. | ||
A repository like this should only contain code that is required to set up and reproduce the bug. | ||
* Describe your environment in as much detail as possible. Include the versions of relevant modules, the PHP version, webserver, and operating system used to run the project, the browser(s) you see the issue in, etc. | ||
* If part of the bug includes an error or exception, please provide a full stack trace. Be wary that stack traces may contain sensitive information, and if that is the case, be sure to redact them prior to posting your stack trace. | ||
* You are strongly encouraged to [submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) which fixes the issue. Bug reports which are accompanied with a pull request are a lot more likely to be resolved quickly. | ||
|
||
Lastly, don't get your hopes up too high. Unless your issue is a blocker | ||
affecting a large number of users, don't expect Silverstripe developers to jump | ||
onto it right way. Your issue is a starting point where others with the same | ||
problem can collaborate with you to develop a fix. If this bug is a blocker | ||
for you, then [submitting a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) | ||
is the best way to ensure it gets fixed. | ||
|
||
## Feature Requests | ||
|
||
[warning] | ||
Please don't file "feature requests" as Github issues. If there's a new feature | ||
you'd like to see in SilverStripe, you either need to write it yourself (and | ||
[submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request) or convince somebody else to | ||
write it for you. Any "wishlist" type issues without code attached can be | ||
Please don't file feature requests as Github issues. If there's a new feature | ||
you'd like to see in Silverstripe CMS, you either need to write it yourself (and | ||
[submit a pull request](/contributing/code/#step-by-step-from-forking-to-sending-the-pull-request)) or convince somebody else to | ||
write it for you. Any "wishlist" type issues without code attached can be | ||
expected to be closed as soon as they're reviewed. | ||
[/warning] | ||
|
||
In order to gain interest and feedback in your feature, we encourage you to | ||
In order to gain interest and feedback in your feature, we encourage you to | ||
present it to the community through the [community channels](https://www.silverstripe.org/community). | ||
|
||
## Reporting Security Issues | ||
|
||
[warning] | ||
If you think a bug may have security implications, do not create a GitHub issue for it. This may lead to a zero-day vulnerability. | ||
[/warning] | ||
|
||
Report potential security issues to [[email protected]](mailto:[email protected]). | ||
See our "[Release Process](/contributing/release_process/#security-releases)" documentation for more info, and | ||
read our guide on [how to write secure code](/developer_guides/security/secure_coding/). | ||
Report potential security issues to [[email protected]](mailto:[email protected]). Emails sent to that address are | ||
forwarded to a private mailing list and kick off a specific security process. | ||
|
||
Silverstripe CMS does not operate a *bug bounty* program. | ||
If you have any doubts or are unsure whether the bug you've found has security implications or not, please err on the side of caution | ||
and email us about it. | ||
|
||
Review our [Managing Security Guidelines](managing_security_issues) guidelines to understand what happens once a vulnerability is reported. | ||
Review our [Managing Security Issues](managing_security_issues) process to understand what happens once a vulnerability is reported. | ||
|
||
Silverstripe CMS aims to ship security patches at pre-defined intervals when those issues are not actively exploited in the wild. | ||
|
||
Review the [Security patch windows](../Project_Governance/Minor_release_policy#security-patch-windows) section of our minor release policy for more details. | ||
|
||
## Sharing your Opinion | ||
|
||
* [forum.silverstripe.org](https://forum.silverstripe.org): Forums on silverstripe.org | ||
* [All issues across modules](https://www.silverstripe.org/community/contributing-to-silverstripe/github-all-core-issues) | ||
|
||
## Identifying issues and pull request relevant to your own project {#identifying-issues} | ||
|
||
Our [issue browser](https://silverstripe-github-issues.now.sh/) can be helpful to identify known issues and pending pull requests in | ||
[supported modules](/project_governance/supported_modules/). | ||
But you're usually only running some of these modules, and others | ||
from the [wider module ecosystem](https://addons.silverstripe.org). | ||
|
||
In order to only show issues and pull requests relevant to your project, | ||
we've written a little [composer utility](https://github.com/silverstripe/silverstripe-github-issue-search-composer-util) | ||
which inspects your own `composer.lock` file dependencies, | ||
and searches across all Silverstripe CMS modules in there. | ||
|
||
After [installing the composer utility](https://github.com/silverstripe/silverstripe-github-issue-search-composer-util), | ||
use this command to pass through a lock file, and get a URL to open in your favourite browser. | ||
|
||
``` | ||
cat /my/project/composer.lock | ss-issue-search get-url | ||
``` | ||
|
||
Protip: You can further filter to certain [issue labels](code#labels) | ||
such as `label:impact/high` to make the results more relevant. | ||
Silverstripe CMS does not operate a _bug bounty_ program. | ||
|
||
## GitHub Labels {#labels} | ||
|
||
The current GitHub labels are grouped into five sections: | ||
|
||
1. *Impact* - What impact does this issue have, does it break a feature completely, is it just a side effect or is it trivial and not a big problem (but a bit annoying), etc. Impact is evaluated in the context of the CMS as a whole, rather than against the individual module the issue is raised on. | ||
2. *Complexity* - What level of technical proficiency is required to address this issue? | ||
3. *Type* - The type of solution required to address this issue | ||
4. *Affects* - The release line this issue is relevant to | ||
5. *RFC* - The issue is a request-for-comment | ||
|
||
| Label | Purpose | | ||
| ----- | ------- | | ||
| impact/critical | Website breaking issue with no workarounds. Reserved only for bugs. Bugfix's will target all supported minor release lines. | | ||
| impact/high | Affects a major usage flow. Broken functionality with no obvious workarounds available, or an enhancement that provides a clear benefit to users | | ||
| impact/medium | When affecting a major usage flow, for bugs there is a workaround available and for enhancements there would be a reasonable benefit to users. For a less common usage flow there is broken functionality and for enhancements there is a clear benefit to users. | | ||
| impact/low | A nuisance but doesn't break any functionality (typos, etc). For enhancements there would only be a limited benefit to users. | | ||
| complexity/low | Someone with limited Silverstripe CMS experience could resolve | | ||
| complexity/medium | Someone with a good understanding of Silverstripe CMS could resolve | | ||
| complexity/high | Only an expert with Silverstripe CMS could resolve | | ||
| type/bug | Does not function as intended, or is inadequate for the purpose it was created for | | ||
| type/enhancement | New feature or improvement for either users or developers | | ||
| type/api-break | An API-breaking change requiring a new major release | | ||
| type/ux | Impact on the CMS user interface | | ||
| type/docs | A docs change | | ||
| type/userhelp | A userhelp documentation change | | ||
| affects/* | Issue has been observed on a specific CMS release line | | ||
| rfc/draft | [RFC](/project_governance/request_for_comment) under discussion | | ||
| rfc/accepted | [RFC](/project_governance/request_for_comment) where agreement has been reached | |
Oops, something went wrong.