def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
depth = 0
array_qry = []
if isinstance(info.context.json, dict):
array_qry.append(info.context.json)
elif isinstance(info.context.json, list):
array_qry = info.context.json
for q in array_qry:
query = q.get('query', None)
mutation = q.get('mutation', None)
if query:
depth = parser.get_depth(query)
elif mutation:
depth = parser.get_depth(query)
if security.depth_exceeded(depth):
raise werkzeug.exceptions.SecurityError('Query Depth Exceeded! Deep Recursion Attack Detected.')
return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
fields_requested = []
array_qry = []
if isinstance(info.context.json, dict):
array_qry.append(info.context.json)
elif isinstance(info.context.json, list):
array_qry = info.context.json
for q in array_qry:
query = q.get('query', None)
mutation = q.get('mutation', None)
if query:
fields_requested += parser.get_fields_from_query(query)
elif mutation:
fields_requested += parser.get_fields_from_query(mutation)
if security.cost_exceeded(fields_requested):
raise werkzeug.exceptions.SecurityError('Cost of Query is too high.')
return next(root, info, **kwargs)
def allowed_cmds(cmd):
if helpers.is_level_easy():
return True
elif helpers.is_level_hard():
if cmd.startswith(('echo', 'ps' 'whoami', 'tail')):
return True
return False
def get_difficulty():
level = None
if helpers.is_level_easy():
level = 'easy'
else:
level = 'hard'
return dict(difficulty=level)
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
if info.field_name.lower() in ['__schema', '__introspection']:
raise werkzeug.exceptions.SecurityError('Introspection is Disabled')
return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
cookie = request.cookies.get('env')
if cookie and helpers.decode_base64(cookie) == 'graphiql:enable':
return next(root, info, **kwargs)
else:
raise werkzeug.exceptions.SecurityError(
'GraphiQL Access Rejected')
raise werkzeug.exceptions.SecurityError('GraphiQL is disabled')
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
opname = helpers.get_opname(info.operation)
if opname != 'No Operation' and not security.operation_name_allowed(
opname):
raise werkzeug.exceptions.SecurityError(
'Operation Name "{}" is not allowed.'.format(opname))
return next(root, info, **kwargs)
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
array_qry = []
if info.context.json is not None:
if isinstance(info.context.json, dict):
array_qry.append(info.context.json)
for q in array_qry:
query = q.get('query', None)
if security.on_denylist(query):
raise werkzeug.exceptions.SecurityError('Query is on the Deny List.')
return next(root, info, **kwargs)
def strip_dangerous_characters(cmd):
if helpers.is_level_easy():
return cmd
elif helpers.is_level_hard():
return cmd.replace(';', '').replace('&', '')
return cmd
