terra-money / hive-graph Goto Github PK

I tried in https://phoenix-hive.terra.dev/graphql
query {
tx {
byHeight(height:50000){
height
}
}
}
but I got Request failed with status code 501 (INTERNAL_SERVER_ERROR)

let me know about it.

Impact:

• DoS attack due to the amount of data that can be sent during a single API request
• Bypass attempt and rate limits

This vulnerability allows me to send 3000 queries during a single API request. An attacker can grab the introspection scheme and send higher load requests.

PoC:

Remediation steps:
Add a validation process to ensure the query doesn’t contain more aliases than the chosen maximum. You need to limit batch queries.

I found, that your library uses the apollographql server as a dependency. The apollographql server has a DataLoader utility that allows us to use batching and caching:
https://www.apollographql.com/docs/apollo-server/data/data-sources/#using-with-dataloader
I believe that this DataLoader utility, combined with caching and batching, solves the current security problem.

If they don't solve the problem, the following libraries can help you limit batch requests:

• https://github.com/ivandotv/graphql-no-alias
• https://github.com/slicknode/graphql-query-complexity
• https://github.com/graphql/dataloader

Info about this attack:

• https://lab.wallarm.com/graphql-batching-attack/
• https://blog.escape.tech/graphql-batch-attacks-cause-dos/

Hi! I'm wondering if there is a public Hive GraphQL endpoint for the bombay-12 testnet, the testnet counterpart for https://hive.terra.dev/graphql which is for the mainnet. Thanks!

Current pisco-1 testnet hive is using the old Terra wasm endpoint /terra/wasm/v1beta1/ causing wasm query to fail and return Not Implemented error. The non-classic chain should use the direct cosmwasm endpoint /cosmwasm/wasm/v1/.

This query on testnet hive will fail with such error.

{
  wasm {
    codeInfo(codeID: 12) {
      code_creator
    }
  }
}

{
  "errors": [
    {
      "message": "[Not Implemented] error",
      "locations": [
        {
          "line": 3,
          "column": 5
        }
      ],
      "path": [
        "wasm",
        "codeInfo"
      ],
      "extensions": {
        "code": "INTERNAL_SERVER_ERROR",
        "exception": {
          "status": 501,
          "name": "LCDClientError",
          "message": "[Not Implemented] error",
          "stacktrace": [
            "LCDClientError: [Not Implemented] error",
            "    at WasmService.codeInfo (/app/dist/wasm/wasm.service.js:36:19)",
            "    at runMicrotasks (<anonymous>)",
            "    at processTicksAndRejections (internal/process/task_queues.js:95:5)",
            "    at async target (/app/node_modules/@nestjs/core/helpers/external-context-creator.js:77:28)"
          ]
        }
      }
    }
  ],
  "data": null
}