You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Teddy brought up the issue that the simple API design does not prevent users of the library to create code that is vulnerable to query injection attacks: octokit/graphql.js#2
GraphQL has the concept of variables built into its design which prevents this, but users need to be disciplined enough to use the variables instead of just creating a string with the values replaced.
JavaScript supports an API that would prevent that: tagged templates. I’m not sure if something similar is possible for other languages.
The use of tagged templates would work but also complicates the API surface a little, I’m not yet sure if it’s necessary, or if there are other ways, such as a good documentation, linting, etc.
I wonder if anybody has thoughts on this?
The text was updated successfully, but these errors were encountered:
I’ve created a minimal-as-possible GraphQL library for the JavaScript Octokit: https://github.com/octokit/graphql.js
Teddy brought up the issue that the simple API design does not prevent users of the library to create code that is vulnerable to query injection attacks:
octokit/graphql.js#2
GraphQL has the concept of variables built into its design which prevents this, but users need to be disciplined enough to use the variables instead of just creating a string with the values replaced.
JavaScript supports an API that would prevent that: tagged templates. I’m not sure if something similar is possible for other languages.
The use of tagged templates would work but also complicates the API surface a little, I’m not yet sure if it’s necessary, or if there are other ways, such as a good documentation, linting, etc.
I wonder if anybody has thoughts on this?
The text was updated successfully, but these errors were encountered: