Default GraphQL Query Executor configuration options
Learn how to address Denial of Service errors in GraphQL queries caused by default parser options in the latest GraphQL Java update.
Description description
Environment
Adobe Experience Manager
Issue/Symptoms
The latest GraphQL-Java update creates default parser options that could lead to “Denial of Service” InvalidSyntax error while executing GraphQL complex queries. These validations were introduced in GraphQL-Java to avoid Denial of Service attacks.
For context, those limitations are defined in https://github.com/graphql-java/graphql-java/blob/v20.3/src/main/java/graphql/parser/ParserOptions.java#L35.
Resolution resolution
You can fix the issue by passing custom parser options by following the given steps:
-
This is valid for very large GraphQL queries that would return a “Denial of Service” InvalidSyntax error, either starting with:
- AEM Cloud Service (limitation introduced with the internal reference SITES-13906 in release 2023.8 and workaround introduced in release 2024.3) or;
- AEM 6.5.21 (limitation and workaround introduced with the internal reference SITES-17355)
-
This can be overcome by configuring the OSGI Configuration Apache Sling Default GraphQL Query Executor and adjust the values Max Query Tokens and Max Whitespaces Tokens depending on the needs.
This should be done as a last resort and the values should be increased gradually until the needs of the project is met.