def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) depth = 0 array_qry = [] if isinstance(info.context.json, dict): array_qry.append(info.context.json) elif isinstance(info.context.json, list): array_qry = info.context.json for q in array_qry: query = q.get('query', None) mutation = q.get('mutation', None) if query: depth = parser.get_depth(query) elif mutation: depth = parser.get_depth(query) if security.depth_exceeded(depth): raise werkzeug.exceptions.SecurityError('Query Depth Exceeded! Deep Recursion Attack Detected.') return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) fields_requested = [] array_qry = [] if isinstance(info.context.json, dict): array_qry.append(info.context.json) elif isinstance(info.context.json, list): array_qry = info.context.json for q in array_qry: query = q.get('query', None) mutation = q.get('mutation', None) if query: fields_requested += parser.get_fields_from_query(query) elif mutation: fields_requested += parser.get_fields_from_query(mutation) if security.cost_exceeded(fields_requested): raise werkzeug.exceptions.SecurityError('Cost of Query is too high.') return next(root, info, **kwargs)
def allowed_cmds(cmd): if helpers.is_level_easy(): return True elif helpers.is_level_hard(): if cmd.startswith(('echo', 'ps' 'whoami', 'tail')): return True return False
def get_difficulty(): level = None if helpers.is_level_easy(): level = 'easy' else: level = 'hard' return dict(difficulty=level)
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) if info.field_name.lower() in ['__schema', '__introspection']: raise werkzeug.exceptions.SecurityError('Introspection is Disabled') return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): cookie = request.cookies.get('env') if cookie and helpers.decode_base64(cookie) == 'graphiql:enable': return next(root, info, **kwargs) else: raise werkzeug.exceptions.SecurityError( 'GraphiQL Access Rejected') raise werkzeug.exceptions.SecurityError('GraphiQL is disabled')
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) opname = helpers.get_opname(info.operation) if opname != 'No Operation' and not security.operation_name_allowed( opname): raise werkzeug.exceptions.SecurityError( 'Operation Name "{}" is not allowed.'.format(opname)) return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) array_qry = [] if info.context.json is not None: if isinstance(info.context.json, dict): array_qry.append(info.context.json) for q in array_qry: query = q.get('query', None) if security.on_denylist(query): raise werkzeug.exceptions.SecurityError('Query is on the Deny List.') return next(root, info, **kwargs)
def strip_dangerous_characters(cmd): if helpers.is_level_easy(): return cmd elif helpers.is_level_hard(): return cmd.replace(';', '').replace('&', '') return cmd