This API only accepts GraphQL queries as inputs (via HTTP GET request with a query param or a POST body). It's only outputs are JSON.
While GraphQL was designed to solve mobile data fetching for Facebook, it implements the patterns for secure input handling advocated by the Language Theoretic Security (LangSec) community. This (and composition) makes GraphQL an attractive choice for API development.
Principled use of GraphQL places the GraphQL parser between the systems business logic and the input, which as interesting security properties as pointed out by Momot, Falcon, et al.:
A correctly written parser is essentially equivalent to an application firewall.
This isn't a surprising for those familiar with LangSec and it's techniques. LangSec is productised by security vendors, funded by DARPA to secure critical document formats and used to secure security products.
Applications directly using LangSec patterns/insights seems like the logical next step, since it allows for low cost, consistent security across all environments, ending the reliance on expensive, distant network devices for input filtering.
npm installThat's it!
The API expects a .env file in the root of the api folder which can be populated with the following test values.
$ cat .env
DB_HOST=localhost
DB_PORT=5432
DB_USER=bugbounty
DB_PASS=test
DB_NAME=bugbounty
MAX_COMPLEXITY=1000After that you can run it and verify it's serving test data with curl and jq.
$ # Run a database
$ docker run -d --network host -e POSTGRES_USER=bugbounty -e POSTGRES_PASSWORD=test postgres
$ npm start &
$ curl -s -H "Content-Type: application/json" -d '{"query":"{bugs {id title}}"}' localhost:3000 | jq .
{
"data": {
"bugs": [
{
"id": "1",
"title": "Reflective XSS found on customer support page"
}
]
}
}npm tThe most useful resource for reviewing this code is Google's nodesecroadmap.