dgraph.md

Dgraph

Table of Contents

• About
• Security Considerations
• Request Validations
• Notable Vulnerabilities
• Security Disclosure

About

Language: go
Source:

• https://github.com/dgraph-io/dgraph
• https://github.com/dgraph-io/gqlparser

Documentation: https://dgraph.io/docs/

Security Considerations

Dgraph provides the following features which should be taken into consideration:

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	⚠️ Disabled by Default	✅ Enabled by Default	❌ No Support	❌ No Support

Request Validations

Total Validation Count: 25

Dgraph is based on gqlparser which validates the following checks when a query is sent:

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
Lone Anonymous Operation	Single Field Subscriptions	Fields on Correct Type	Known Argument Names	Fragments on Composite Types	Known Type Names	Known Directives	No Undefined Variables
	Unique Operation Names	Overlapping Fields can be Merged	Provided Required Arguments	Known Fragment Names	Unique Input Field Names	Unique Directives per Location	No Unused Variables
		Scalar Leafs	Unique Argument Names	No Fragment Cycles	Values of Correct Type		Unique Variable Names
				No Unused Fragments			Variables are Input Types
				Possible Fragment Spreads			Variables in Allowed Position
				Unique Fragment Names

Security Disclosure

contact@dgraph.io