Skip to content

fix: Prevent GraphQL query bypass and add service provider validation#898

Merged
neithanmo merged 3 commits intomainfrom
fix/TRST-H2
Jan 13, 2026
Merged

fix: Prevent GraphQL query bypass and add service provider validation#898
neithanmo merged 3 commits intomainfrom
fix/TRST-H2

Conversation

@neithanmo
Copy link
Copy Markdown
Collaborator

@neithanmo neithanmo commented Jan 13, 2026

This PR addresses security vulnerabilities in the status endpoint and adds service provider validation for TAP receipts.

Changes

Status endpoint hardening (status.rs)

  • Add query size limit (MAX_STATUS_QUERY_SIZE: 4096 bytes) to prevent DoS via oversized queries
  • Add selection depth limit (MAX_SELECTION_DEPTH: 10) to prevent deeply nested query attacks
  • Implement recursive field extraction to properly validate root fields through inline fragments and fragment spreads
  • Add circular fragment reference detection

@neithanmo
fix(service): add query size limit to /status endpoint
342644e 
Add a 4KB size limit check for status queries before parsing to prevent
memory exhaustion attacks from large malicious queries.

Part of TRST-H-2 security fix for GraphQL allowlist bypass.
@neithanmo
fix(service): prevent GraphQL allowlist bypass via fragment handling …
0b42cf1 
…[TRST-H-2]

The /status endpoint's field allowlist could be bypassed by hiding
forbidden fields inside inline fragments or named fragment spreads.

The validation only checked Selection::Field, ignoring InlineFragment
and FragmentSpread variants entirely.

Changes:
- Add recursive field extraction that traverses all selection types
- Implement circular fragment detection to prevent infinite loops
- Add depth limit (10) to prevent stack overflow from deep nesting
@coveralls
Copy link
Copy Markdown

coveralls commented Jan 13, 2026
edited
Loading

Pull Request Test Coverage Report for Build 20962336225

Details

  • 253 of 254 (99.61%) changed or added relevant lines in 1 file are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage increased (+0.5%) to 68.114%
Changes Missing Coverage Covered Lines Changed/Added Lines %
crates/service/src/routes/status.rs 253 254 99.61%
Files with Coverage Reduction New Missed Lines %
crates/service/src/routes/status.rs 1 98.77%
Totals Coverage Status
Change from base Build 20926929234: 0.5%
Covered Lines: 10168
Relevant Lines: 14928
💛 - Coveralls

suchapalaver
suchapalaver reviewed Jan 13, 2026
View reviewed changes
suchapalaver
suchapalaver previously approved these changes Jan 13, 2026
View reviewed changes
@neithanmo neithanmo enabled auto-merge (squash) January 13, 2026 15:27
@neithanmo neithanmo merged commit f18cde8 into main Jan 13, 2026
12 checks passed
@neithanmo neithanmo deleted the fix/TRST-H2 branch January 13, 2026 15:38
@github-actions github-actions bot mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@suchapalaver suchapalaver suchapalaver approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@neithanmo @coveralls @suchapalaver