Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is it safe to write GraphQL queries client-side?

GraphQL was recently released, and it seems to encourage writing your queries client-side.

  1. What is it that makes it safe to write GraphQL queries client-side, but not SQL queries?
  2. Is GraphQL not subject to injections?
  3. If it's so useful to have your queries client-side, why not make a version of SQL not subject to injections?
like image 912
tybro0103 Avatar asked Aug 30 '15 01:08

tybro0103


People also ask

Is GraphQL client side?

Client-side GraphQL is a client-side infrastructure that interfaces with data from a GraphQL server to perform the following functions: It manages data by sending queries and mutating data without you having to construct HTTP requests all by yourself.

What is the significant benefit of using a GraphQL client library?

One major benefit of GraphQL is that it allows you to fetch and update data in a declarative manner. Put differently, we climb up one step higher on the API abstraction ladder and don't have to deal with low-level networking tasks ourselves anymore.

Why do we need GraphQL client?

Performance is the main reason to use a GraphQL client. Caches are generally used to speed things up. So, many assume that the primary benefit of Apollo Client or Relay comes from the fact that it is able to improve the performance of your application by lowering roundtrips.

Is GraphQL a security risk?

Applications using GraphQL are still prone to the same common vulnerabilities we all know and dread. It's up to the developer to properly validate and sanitize input to prevent malicious requests. For example, let's look at how we might exploit an OS command injection vulnerability via GraphQL.


1 Answers

Since this wasn't answered by the users who answered it in the slack channel, I'll post their answers.

  1. GraphQL queries are validated against a schema that was built explicitly to expose data to the client. SQL doesn't validate your query against anything other than the DB schema structure.
  2. In theory your GraphQL endpoint has some sort of security in place to validate the user is allowed to query the data at the starting point of their query. Once they are inside the Graph based schema, permissions are inherent to the graphQL schema definition, and injection wouldn't accomplish anything.
  3. Making a version of SQL that isn't subject to injection would involve some of the same validations that GraphQL does. Some sort of validation that all requested data/mutations are allowed. As quoted in the chat, "Injection isn't a problem inherent to SQL".

Answers credited to charlie and samwgoldman from the GraphQL/#general Slack chat.

like image 146
ahillman3 Avatar answered Oct 11 '22 17:10

ahillman3