GraphQL API を悪意あるクエリから守る手法

Transcript

1. 
   ϖύϘɾ͸ͯͳٕज़େձ
   ZJHBSBTIJ (SBQI2-
   "1*
   Λ
   ѱҙ͋ΔΫΤϦ͔ΒकΔख๏

2. (SBQI2-

3. ಋೖ
   
   (SBQI2- "1*ͷͨΊͷΫΤϦݴޠͱΫΤϦʹԠͨ͡σʔλΛฦ͢ϥϯλΠϜ

4. ಋೖ
   
   (SBQI2- "1*ͷͨΊͷΫΤϦݴޠͱΫΤϦʹԠͨ͡σʔλΛฦ͢ϥϯλΠϜ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ

5. ಋೖ
   
   (SBQI2- "1*ͷͨΊͷΫΤϦݴޠͱΫΤϦʹԠͨ͡σʔλΛฦ͢ϥϯλΠϜ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ { me { name interests

   } } ΫΤϦ

6. ಋೖ
   
   (SBQI2- "1*ͷͨΊͷΫΤϦݴޠͱΫΤϦʹԠͨ͡σʔλΛฦ͢ϥϯλΠϜ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ { me { name interests

   } } ΫΤϦ { "me": { "name": "yigarashi", "interests": [ "ϓϩδΣΫτϚωδϝϯτ", "GraphQL", "ϓϩάϥϛϯάݴޠཧ࿦", ] } } ฦΓ஋ʢ+40/ʣ

7. ಋೖ
   
   (SBQI2- "1*ͷͨΊͷΫΤϦݴޠͱΫΤϦʹԠͨ͡σʔλΛฦ͢ϥϯλΠϜ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ { me { name interests

   } } ΫΤϦ { "me": { "name": "yigarashi", "interests": [ "ϓϩδΣΫτϚωδϝϯτ", "GraphQL", "ϓϩάϥϛϯάݴޠཧ࿦", ] } } ฦΓ஋ʢ+40/ʣ ΫΤϦͱಉ͡ܗͷ
   +40/͕ฦ͞ΕΔ

8. ಋೖ
   
   (SBQI2- ΋͏গ͠ෳࡶͳྫ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ

9. ಋೖ
   
   (SBQI2- ΋͏গ͠ෳࡶͳྫ ΫϥΠΞϯτ αʔόʔ
   ʢϥϯλΠϜʣ { countries(first: 1) { name

   cities(first: 2) { name } } } ΫΤϦ

10. ಋೖ
    
    (SBQI2- ΋͏গ͠ෳࡶͳྫ ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 1) { name

    cities(first: 2) { name } } } ΫΤϦ Ҿ਺Λड͚औΔ͜ͱ͕Ͱ͖Δɻ
    pSTU
    ͸
    42-
    Ͱݴ͏
    MJNJU

11. ಋೖ
    
    (SBQI2- ΋͏গ͠ෳࡶͳྫ ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 1) { name

    cities(first: 2) { name } } } ΫΤϦ { "countries": [ { "name": "೔ຊ", "cities": [ { "name": "ژ౎ࢢ" }, { "name": "৽॓۠" }, ] }, ] } ฦΓ஋ʢ+40/ʣ Ҿ਺Λड͚औΔ͜ͱ͕Ͱ͖Δɻ
    pSTU
    ͸
    42-
    Ͱݴ͏
    MJNJU

12. ύϫϑϧ

13. ѱҙ͋Δਓ͕
    ࢖͏ͱʜʜ

14. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ

15. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { name

    cities(first: 100) { name streets(first: 1000) { name } } } } ΫΤϦ

16. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { name

    cities(first: 100) { name streets(first: 1000) { name } } } } ΫΤϦ

17. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { name

    cities(first: 100) { name streets(first: 1000) { name } } } } ΫΤϦ ºº
    ສϊʔυ

18. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { name

    cities(first: 100) { name streets(first: 1000) { name } } } } ΫΤϦ ºº
    ສϊʔυ

19. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ

20. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { cities(first:

    100) { superComplexStatistics } } } ΫΤϦ

21. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { cities(first:

    100) { superComplexStatistics } } } ΫΤϦ

22. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { cities(first:

    100) { superComplexStatistics } } } ΫΤϦ ඇৗʹॏ͍ܭࢉΛ
    ճ

23. ѱҙ͋ΔΫΤϦ  ΫϥΠΞϯτ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 100) { cities(first:

    100) { superComplexStatistics } } } ΫΤϦ ඇৗʹॏ͍ܭࢉΛ
    ճ

24. ࠓ೔ͷςʔϚ (SBQI2-
    "1*
    Λѱҙ͋ΔΫΤϦʢʹҙਤతʹෛՙΛ͔͚ΔΫΤϦʣ͔ΒकΔ

25. ࠓ೔ͷςʔϚ (SBQI2-
    "1*
    Λѱҙ͋ΔΫΤϦʢʹҙਤతʹෛՙΛ͔͚ΔΫΤϦʣ͔ΒकΔ యܕతͳෛՙʢσʔλͷऔಘݩ͸3%#ͱԾఆ͢Δʣ
    σʔλྔ
    ܭࢉྔ
    جຊతͳΞΠσΟΞ
    ʮΫΤϦΛ੩తղੳͯ͠ෛՙͷ໰୊͕ͳ͍͜ͱΛ֬ೝ࣮ͯ͠ߦ͢Δʯ

26. ۩ମతͳख๏ ϗϫΠτϦετʹΑΔ੍ݶ
    DPNQMFYJUZ
    ʹΑΔ੍ݶ

27. ۩ମతͳख๏ ϗϫΠτϦετʹΑΔ੍ݶ
    DPNQMFYJUZ
    ʹΑΔ੍ݶ

28. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ ΫϥΠΞϯτ

29. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ

30. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ { countries(first: 10) { name } }

31. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ { countries(first: 10) { name } }

32. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ

33. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ { countries(first: 10) { name population } }

34. ϗϫΠτϦετʹΑΔ੍ݶ αʔόʔ͕ड͚෇͚ΔΫΤϦΛϗϫΠτϦετͱ͓ͯ࣋ͬͯ͘͠ɻϦΫΤετ͞ ΕͨΫΤϦ͕ϗϫΠτϦετʹҰக͢Δ৔߹͚࣮ͩߦ͢Δ αʔόʔ
    ʢϥϯλΠϜʣ { countries(first: 10) { name

    } } ϗϫΠτϦετ ʜ ʜ ΫϥΠΞϯτ { countries(first: 10) { name population } }

35. ϗϫΠτϦετʹΑΔ੍ݶ ϝϦοτ
    ಋೖ͕༰қʢΫΤϦ͕จࣈྻͱͯ͠Ұக͢Δ͔֬ೝ͢Δ͚ͩͰྑ͍ʣ
    ޮՌ͕ߴ͍ʢຊ౰ʹ࢖͏ΫΤϦͷΈϗϫΠτϦετͱͯ͠ڐՄ͢ΔͨΊʣ
    σϝϦοτ
    ϗϫΠτϦετͷϝϯςφϯείετ
    ެ։"1*΍εςʔΫϗϧμʔͷҧ͏ΫϥΠΞϯτͰ͸࢖͍ͮΒ͍
    ૯ධ
    ؔ܎͢Δ։ൃऀɾΫϥΠΞϯτ͕গͳ͍৔߹ʹ͔ͳΓ༗ޮ

36. ۩ମతͳख๏ ϗϫΠτϦετʹΑΔ੍ݶ
    DPNQMFYJUZ
    ʹΑΔ੍ݶ

37. ۩ମతͳख๏ ϗϫΠτϦετʹΑΔ੍ݶ
    DPNQMFYJUZ
    ʹΑΔ੍ݶ

38. DPNQMFYJUZ
    ʹΑΔ੍ݶ ΫΤϦͷෛՙʹൺྫͯ͠େ͖͘ͳΔ਺஋ʢDPNQMFYJUZʣΛܭࢉ͢Δɻͦͷ਺ ஋͕ᮢ஋Λ௒͑ͨ৔߹͸࣮ߦ͠ͳ͍

39. DPNQMFYJUZ
    ʹΑΔ੍ݶ ΫΤϦͷෛՙʹൺྫͯ͠େ͖͘ͳΔ਺஋ʢDPNQMFYJUZʣΛܭࢉ͢Δɻͦͷ਺ ஋͕ᮢ஋Λ௒͑ͨ৔߹͸࣮ߦ͠ͳ͍ యܕతͳෛՙʹ͍ͭͯ
    DPNQMFYJUZ
    ͷྫΛݟ͍ͯ͘
    σʔλྔ
    ܭࢉྔ
    %#ΞΫηεճ਺
    ʢ஫ҙʣDPNQMFYJUZ
    ͷܭࢉํ๏͸ແ਺ʹߟ͑ΒΕΔɻࠓ೔ࣔ͢ͷ͸Ұྫ

40. ྫ
    ϊʔυ਺ʹൺྫ͢Δ
    DPNQMFYJUZ

41. ྫ
    ϊʔυ਺ʹൺྫ͢Δ
    DPNQMFYJUZ { countries(first: 50) { name cities(first: 100) { name

    } } }

42. ྫ
    ϊʔυ਺ʹൺྫ͢Δ
    DPNQMFYJUZ ϊʔυ਺
    
    
    DPVOUSJFT
    
    
    º
    
    DJUJFT
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    OPEFT { countries(first: 50) { name cities(first:

    100) { name } } }

43. ྫ
    ϊʔυ਺ʹൺྫ͢Δ
    DPNQMFYJUZ ϊʔυ਺
    
    
    DPVOUSJFT
    
    
    º
    
    DJUJFT
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    OPEFT ͜Ε͕ᮢ஋ҎԼͳΒ࣮ߦ͢Δ { countries(first: 50) { name

    cities(first: 100) { name } } }

44. ྫ
    ϊʔυ਺ʹൺྫ͢Δ
    DPNQMFYJUZ ϊʔυ਺
    
    
    DPVOUSJFT
    
    
    º
    
    DJUJFT
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    OPEFT ͜Ε͕ᮢ஋ҎԼͳΒ࣮ߦ͢Δ { countries(first: 50) { name

    cities(first: 100) { name } } } ࢀߟ
    (JU)VC
    (SBQI2-
    "1*
    W
    ͷ
    /PEF
    MJNJU
    ϊʔυ਺͸
     
    ·Ͱ
    ϦετͷऔಘͰ͸Ҿ਺ʹ
    pSTU
    ͔
    MBTU
    ͕ඞਢͰ
    
    Ҏ಺

45. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ

46. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ type City { name superComplexStatistics @cost(n: 10) }

47. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ type City { name superComplexStatistics @cost(n: 10) } (SBQI2-
    ͷ
    EJSFDUJWF
    Λར༻ͯ͠ɺ
    

    ܕఆٛʢεΩʔϚʣͷଆͰॏ͍ܭࢉʹίετΛ͚ͭΔɻ
    αʔόʔ͸͜ͷ৘ใΛࢀরͯ͠
    DPNQMFYJUZ
    Λܭࢉ͢Δ

48. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ type City { name superComplexStatistics @cost(n: 10) } (SBQI2-
    ͷ
    EJSFDUJWF
    Λར༻ͯ͠ɺ
    

    ܕఆٛʢεΩʔϚʣͷଆͰॏ͍ܭࢉʹίετΛ͚ͭΔɻ
    αʔόʔ͸͜ͷ৘ใΛࢀরͯ͠
    DPNQMFYJUZ
    Λܭࢉ͢Δ { countries(first: 100) { cities(first: 100) { superComplexStatistics } } } ΫΤϦ

49. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ type City { name superComplexStatistics @cost(n: 10) } (SBQI2-
    ͷ
    EJSFDUJWF
    Λར༻ͯ͠ɺ
    

    ܕఆٛʢεΩʔϚʣͷଆͰॏ͍ܭࢉʹίετΛ͚ͭΔɻ
    αʔόʔ͸͜ͷ৘ใΛࢀরͯ͠
    DPNQMFYJUZ
    Λܭࢉ͢Δ { countries(first: 100) { cities(first: 100) { superComplexStatistics } } } ܭࢉίετ
    
    
    º
    
    DJUJFT
    º
    
    DPTU
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
      ΫΤϦ

50. ྫ
    ܭࢉίετʹൺྫ͢Δ
    DPNQMFYJUZ type City { name superComplexStatistics @cost(n: 10) } (SBQI2-
    ͷ
    EJSFDUJWF
    Λར༻ͯ͠ɺ
    

    ܕఆٛʢεΩʔϚʣͷଆͰॏ͍ܭࢉʹίετΛ͚ͭΔɻ
    αʔόʔ͸͜ͷ৘ใΛࢀরͯ͠
    DPNQMFYJUZ
    Λܭࢉ͢Δ { countries(first: 100) { cities(first: 100) { superComplexStatistics } } } ܭࢉίετ
    
    
    º
    
    DJUJFT
    º
    
    DPTU
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
      ΫΤϦ %#ΞΫηεճ਺΋શ͘ಉ͡ΞΠσΟΞͰ
    DPNQMFYJUZ
    ΛઃܭͰ͖Δɻ%#ΞΫ ηε͕ൃੜ͢ΔϑΟʔϧυʹ
    DPTU
    Λ͚ͭΕ͹ɺ%#ΞΫηεճ਺ʹൺྫͯ͠
    DPNQMFYJUZ
    ͕૿Ճ͢ΔΑ͏ʹͰ͖Δɻ

51. ࣮૷ (SBQI2-
    Ͱྑ͘࢖ΘΕΔݴޠͰ͸ϥΠϒϥϦ౳ͷαϙʔτ͕͋Δ
    +BWB4DSJQU
    HSBQIRMDPTUBOBMZTJT
    ͳͲ
    (P
    HRMHFO
    ͕αϙʔτ͍ͯ͠Δ
    αϙʔτͷͳ͍ݴޠͰͲ͏͢Δ͔
    ΫΤϦղੳ͚ͩϚΠΫϩαʔϏεͱͯ͠੾Γग़ͯ͠ผݴޠΛ࢖͏
    ࣗલͰ࣮૷͢Δ

52. ମݧஊ ͱ͋ΔαʔϏεͰϑϧεΫϥονͰΫΤϦղੳΛ࣮૷ʢ1FSM
    ͩͬͨͷͰʜʣ
    εςʔΫϗϧμʔͷҧ͏ΫϥΠΞϯτ͕༧૝͞ΕͨͷͰϗϫΠτϦετʹΑΔ ੍ݶ͸ݟૹͬͨ
    QBSTF
    ͱ
    FYFDVUF
    ͷؒʹ
    DPNQMFYJUZ
    ʹΑΔ੍ݶΛ࢓ࠐΜͩ
    ϕʔε͸ϊʔυ਺ʹΑΔ੍ݶ
    શ݅औಘ͢ΔϑΟʔϧυ΍%#ΞΫηε͕ൃੜ͢ΔϑΟʔϧυʹߴΊͷίε τΛ͚ͭΔ
    ᮢ஋͸௨ৗར༻Λ્֐͠ͳ͍େ͖Ίͷ஋ʹઃఆ
    ؀ڥม਺Ͱᮢ஋ΛઃఆͰ͖ΔΑ͏ʹͯ͠ૉૣ͘ରॲՄೳʹ

53. ݱঢ়ͷ՝୊ DPNQMFYJUZ
    ͷϕετϓϥΫςΟεཱ͕֬͞Ε͍ͯͳ͍
    ࠓճ͸ϊʔυ਺ɾܭࢉίετɾ%#ΞΫηεʹண໨ͯٞ͠࿦Λ͕ͨ͠ɺͦ΋ ͦ΋͜͜·Ͱ౿ΈࠐΜͰٞ࿦͍ͯ͠Δࢿྉ͕গͳ͍
    ޙΖʹ%#Ҏ֎͕͍ΔέʔεͳͲଞʹ΋࿦఺͸͋Γͦ͏
    ੈͷதͷϥΠϒϥϦ͸
    DPNQMFYJUZ
    ͕ͻͱͭͷέʔεΛް͘αϙʔτ͍ͯ͠Δ
    ϊʔυ਺ɾܭࢉίετͱ͍ͬͨෳ਺ͷई౓Λѻ͍ͮΒ͍
    ࢓ํͳ͘ͻͱͭͷ
    DPNQMFYJUZ
    ʹෳ਺ͷई౓Λԡ͠ࠐΉ͜ͱ΋
    +BWB4DSJQU
    ͷ
    HSBQIRMDPTUBOBMZTJT
    Ͱ͸࣮ݱՄೳͳ͜ͱΛ֬ೝ

54. ·ͱΊ (SBQI2-
    Ͱ͸ҙਤతʹෛՙΛ͔͚ΔΫΤϦΛ༰қʹهड़Ͱ͖Δ
    ͭͷ๷ӴखஈΛ঺հͨ͠
    ϗϫΠτϦετʹΑΔ੍ݶ
    DPNQMFYJUZ
    ʹΑΔ੍ݶ
    ׬ᘳͳ๷Ӵ͸ඞͣ͠΋ඞཁͳ͍
    ϦεΫͱରࡦͷશମ૾Λݟ౉͠ཁ݅ʹ͋ͬͨίεύͷྑ͍ํ਑ΛऔΔ ϒϩάهࣄ൛ʮ(SBQI2-
    "1*
    Λѱҙ͋ΔΫΤϦ͔ΒकΔख๏ʯ
    IUUQTZJHBSBTIJIBUFOBCMPHDPNFOUSZHSBQIRMRVFSZBOBMZTJT