Trello: https://trello.com/c/VemGvOFs/118-as-a-developer-i-want-to-make-sure-that-all-user-provided-inputs-for-the-sync-server-such-as-schemas-request-mappings-and-respon
Investigation document: https://docs.google.com/document/d/1SPA6tqW78SLXwZLldOdG-Zw6PtBiVfdpIzn9mrg-Lyk/edit#
* Use prepared statements for queries/mutations
* Don't use Handlebars for queries/mutations, but use things like $1
* All data sources
{code}
req: "select * from foo where email = $1"
params: [ "{{context.arguments.reqEmail}}" ]
{code}
We're open to better ideas.
-- EDIT:
Spike: Provide better solution for query/mutation templates and separate variables from queries/mutations
h4. Motivation
Currently users who are building resolvers for their schema have no default and documented way to prevent from various security issues related with using raw strings from clients.
This issues could include:
- sql injection,
- script injection etc.
This will focus on allowing users to build their own resolvers with helpers. We will investigate the best way to build resolvers within the scope.
h4. Some suggestions
- Investigate how to add helpers to handlebars based templates or replace that with more feature full solution that has predefined helpers to obfuscate inputs. [1]
- Create abstract resolvers that can work as semi ORM system. [2] |
|
