fix(ui): bypass GraphQL for createTask, call Queue API directly (fixes #8171)#8260
fix(ui): bypass GraphQL for createTask, call Queue API directly (fixes #8171)#8260nitishagar wants to merge 1 commit intotaskcluster:mainfrom
Conversation
nitishagar
requested review from
lotas,
matt-boris and
petemoore
and removed request for
a team
nitishagar
force-pushed
the
fix/8171-graphql-payload-limit
branch
from
73443a3 to
6a3c10f
Compare
nitishagar
force-pushed
the
fix/8171-graphql-payload-limit
branch
2 times, most recently
from
699ee32 to
6246159
Compare
|
@lotas Updated based on the feedback. Please take a look when you get a chance. |
| cors(corsOptions), | ||
| credentials(), | ||
| bodyParserGraphql.graphql({ | ||
| limit: '1mb', |
There was a problem hiding this comment.
I think this might no longer be applied because we limit bodyParser at 10mb now
| const client = helper.getHttpClient({ suppressErrors: true }); | ||
| // Send a payload exceeding the 10mb body-parser limit. | ||
| // Uses got directly to avoid gql parsing overhead for large payloads. | ||
| const response = await got.post( |
There was a problem hiding this comment.
Do you know what was the issue with gql? and why we want to avoid this? If you keep original code and just change the value what is happening then?
There was a problem hiding this comment.
The got switch was to avoid gql parsing a >10MB string client-side, but that's only needed if we're testing the body parser limit directly. Since we're keeping the original 100k-repeat test (~300KB — well within gql's comfort zone), I've reverted back to using gql + helper client. No issues.
thanks, I have left two comments, I think we need to align limits and I'm not sure why you used |
| await client.query({ | ||
| query: gql` | ||
| query { | ||
| ${' a '.repeat(100000)} |
There was a problem hiding this comment.
Oh, I just realized that test was testing something completely different -
taskcluster/services/web-server/src/main.js
Line 158 in c6c55c5
max tokens is limited to 100000 here, so this test shouldn't be changed
| { | ||
| headers: { 'Content-Type': 'application/json' }, | ||
| body: JSON.stringify({ | ||
| query: `query { ${'a'.repeat(11 * 1024 * 1024)} }`, |
There was a problem hiding this comment.
Please note that original test contained spaces around ' a ' for a reason - that test was testing 'maxTokens'
nitishagar
force-pushed
the
fix/8171-graphql-payload-limit
branch
from
6246159 to
c81f421
Compare
|
Thank you for the review @lotas! I've addressed the feedback. |
|
Sorry for the delay, I would check this soon, need to make sure that we don't open up some other kind of problems with such increase of max size in graphql, since it was a source of frequent denial-of-service kind of attacks |
|
@nitishagar we have discussed this a bit and came to conclusion that we'd rather use API directly than change graphql body size limits: #8171 (comment) If you feel comfortable working on this, let me know, otherwise I'll close this PR. |
nitishagar
changed the title
nitishagar
force-pushed
the
fix/8171-graphql-payload-limit
branch
from
c81f421 to
a2ae12e
Compare
Task creation in the UI now calls the Queue REST API directly using @taskcluster/client-web instead of routing through the GraphQL web-server. This fixes 413 errors when creating tasks with payloads larger than 100KB (the default bodyParser.json limit), without requiring any server-side limit increases. Also fixes a latent bug where authorizedScopes passed via GraphQL options were silently dropped by the resolver; the Queue client now receives them correctly. Closes taskcluster#8171
nitishagar
force-pushed
the
fix/8171-graphql-payload-limit
branch
from
a2ae12e to
25c072b
Compare
| form, | ||
| action, | ||
| apolloClient, | ||
| user, |
There was a problem hiding this comment.
Please check
taskcluster/ui/src/views/Tasks/TaskGroup/index.jsx
Lines 629 to 635 in 25c072b
TaskGroup is still calling this without a user context
3 participants
Summary
createTaskcalls (loaner, retrigger, submitTaskAction, CreateTask page) now call the Queue REST API directly via@taskcluster/client-webinstead of routing through GraphQLbodyParser.jsonlimit) — up to the Queue API's 10MB limitauthorizedScopespassed via GraphQLoptionswere silently dropped by the resolver; the Queue client now receives them correctly viagetClient({ authorizedScopes: ... })createApp.jsvsmain)createTask.graphqlmutation fileApproach
Per architect review by @lotas in #8171: skipping the GraphQL layer for task creation avoids widening the Apollo attack surface (increased body limits have historically been a source of security issues in Apollo).
The UI already uses
@taskcluster/client-webfor other endpoints (e.g.WorkerManager.removeWorker). Task creation follows the samegetClient()pattern.Test plan
cd ui && yarn test— all 52 suites / 137 tests pass (including newsubmitTaskAction.test.js)cd ui && yarn lint— no errorscd services/web-server && yarn test—validation_test.jspasses with original 413 +PayloadTooLargeErrorassertionsGitHub Bug/Issue: Fixes #8171