2022-07-14 20:11:39 +12:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Tests\E2E\Services\GraphQL;
|
|
|
|
|
|
|
|
use Tests\E2E\Client;
|
|
|
|
use Tests\E2E\Scopes\ProjectCustom;
|
|
|
|
use Tests\E2E\Scopes\Scope;
|
|
|
|
use Tests\E2E\Scopes\SideServer;
|
|
|
|
use Utopia\App;
|
2022-09-20 20:25:05 +12:00
|
|
|
use Utopia\Database\Permission;
|
|
|
|
use Utopia\Database\Role;
|
2022-07-14 20:11:39 +12:00
|
|
|
|
2022-09-22 20:29:42 +12:00
|
|
|
class AbuseTest extends Scope
|
2022-07-14 20:11:39 +12:00
|
|
|
{
|
|
|
|
use ProjectCustom;
|
|
|
|
use SideServer;
|
2022-09-22 20:29:42 +12:00
|
|
|
use Base;
|
2022-07-14 20:11:39 +12:00
|
|
|
|
2022-10-11 12:34:43 +13:00
|
|
|
protected function setUp(): void
|
|
|
|
{
|
|
|
|
parent::setUp();
|
|
|
|
|
|
|
|
if (App::isDevelopment()) {
|
|
|
|
$this->markTestSkipped('Skipping abuse test in development environment');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-14 20:11:39 +12:00
|
|
|
public function testComplexQueryBlocked()
|
|
|
|
{
|
|
|
|
$projectId = $this->getProject()['$id'];
|
2022-07-19 00:44:02 +12:00
|
|
|
$query = $this->getQuery(self::$CREATE_DATABASE_STACK);
|
2022-07-14 20:11:39 +12:00
|
|
|
$graphQLPayload = [
|
|
|
|
'query' => $query,
|
|
|
|
'variables' => [
|
|
|
|
'userId' => 'user',
|
|
|
|
'email' => 'user@appwrite.io',
|
|
|
|
'password' => 'password',
|
|
|
|
'databaseId' => 'database',
|
|
|
|
'databaseName' => 'database',
|
|
|
|
'collectionId' => 'collection',
|
|
|
|
'collectionName' => 'collection',
|
2022-09-20 20:25:05 +12:00
|
|
|
'collectionPermissions' => [
|
|
|
|
Permission::read(Role::users()),
|
|
|
|
Permission::create(Role::users()),
|
|
|
|
Permission::update(Role::users()),
|
|
|
|
Permission::delete(Role::users()),
|
|
|
|
],
|
|
|
|
'documentSecurity' => false,
|
2022-07-14 20:11:39 +12:00
|
|
|
],
|
|
|
|
];
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
], $this->getHeaders()), $graphQLPayload);
|
|
|
|
|
2022-07-18 19:30:54 +12:00
|
|
|
$max = App::getEnv('_APP_GRAPHQL_MAX_QUERY_COMPLEXITY', 50);
|
2022-07-18 14:53:49 +12:00
|
|
|
|
2022-09-21 19:37:43 +12:00
|
|
|
$this->assertEquals('Max query complexity should be ' . $max . ' but got 57.', $response['body']['errors'][0]['message']);
|
2022-07-14 20:11:39 +12:00
|
|
|
}
|
|
|
|
|
|
|
|
public function testTooManyQueriesBlocked()
|
|
|
|
{
|
|
|
|
$projectId = $this->getProject()['$id'];
|
|
|
|
$maxQueries = App::getEnv('_APP_GRAPHQL_MAX_QUERIES', 50);
|
|
|
|
|
|
|
|
$query = [];
|
|
|
|
for ($i = 0; $i <= $maxQueries + 1; $i++) {
|
|
|
|
$query[] = ['query' => $this->getQuery(self::$LIST_COUNTRIES)];
|
|
|
|
}
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
], $this->getHeaders()), $query);
|
|
|
|
|
|
|
|
$this->assertEquals('Too many queries.', $response['body']['message']);
|
|
|
|
}
|
|
|
|
}
|