2022-07-14 08:11:39 +00:00
|
|
|
<?php
|
|
|
|
|
|
2025-08-19 11:03:18 +00:00
|
|
|
namespace Tests\E2E\Services\GraphQL\TablesDB;
|
2022-07-14 08:11:39 +00:00
|
|
|
|
|
|
|
|
use Tests\E2E\Client;
|
|
|
|
|
use Tests\E2E\Scopes\ProjectCustom;
|
|
|
|
|
use Tests\E2E\Scopes\Scope;
|
|
|
|
|
use Tests\E2E\Scopes\SideServer;
|
2025-05-09 14:34:02 +00:00
|
|
|
use Tests\E2E\Services\GraphQL\Base;
|
2023-01-16 09:25:40 +00:00
|
|
|
use Utopia\Database\Helpers\ID;
|
|
|
|
|
use Utopia\Database\Helpers\Permission;
|
|
|
|
|
use Utopia\Database\Helpers\Role;
|
2024-04-01 11:02:47 +00:00
|
|
|
use Utopia\System\System;
|
2022-07-14 08:11:39 +00:00
|
|
|
|
2022-09-22 08:29:42 +00:00
|
|
|
class AbuseTest extends Scope
|
2022-07-14 08:11:39 +00:00
|
|
|
{
|
|
|
|
|
use ProjectCustom;
|
|
|
|
|
use SideServer;
|
2022-09-22 08:29:42 +00:00
|
|
|
use Base;
|
2022-07-14 08:11:39 +00:00
|
|
|
|
2022-10-10 23:34:43 +00:00
|
|
|
protected function setUp(): void
|
|
|
|
|
{
|
|
|
|
|
parent::setUp();
|
|
|
|
|
|
2024-04-01 11:02:47 +00:00
|
|
|
if (System::getEnv('_APP_OPTIONS_ABUSE') === 'disabled') {
|
2022-10-28 07:12:11 +00:00
|
|
|
$this->markTestSkipped('Abuse is not enabled.');
|
2022-10-10 23:34:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-28 07:13:48 +00:00
|
|
|
public function testRateLimitEnforced()
|
|
|
|
|
{
|
2025-05-10 06:09:46 +00:00
|
|
|
$data = $this->createTable();
|
2022-10-28 07:13:48 +00:00
|
|
|
$databaseId = $data['databaseId'];
|
2025-05-09 14:34:02 +00:00
|
|
|
$tableId = $data['tableId'];
|
2022-10-28 07:13:48 +00:00
|
|
|
$projectId = $this->getProject()['$id'];
|
2025-08-19 11:03:18 +00:00
|
|
|
$query = $this->getQuery(self::CREATE_ROW);
|
2022-10-28 07:13:48 +00:00
|
|
|
$max = 120;
|
|
|
|
|
|
|
|
|
|
for ($i = 0; $i <= $max + 1; $i++) {
|
|
|
|
|
$gqlPayload = [
|
|
|
|
|
'query' => $query,
|
|
|
|
|
'variables' => [
|
|
|
|
|
'databaseId' => $databaseId,
|
2025-05-09 14:34:02 +00:00
|
|
|
'tableId' => $tableId,
|
|
|
|
|
'rowId' => ID::unique(),
|
2022-10-28 07:13:48 +00:00
|
|
|
'data' => [
|
|
|
|
|
'name' => 'John Doe',
|
|
|
|
|
],
|
|
|
|
|
],
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', [
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
|
], $gqlPayload);
|
|
|
|
|
|
|
|
|
|
if ($i < $max) {
|
|
|
|
|
$this->assertArrayNotHasKey('errors', $response['body']);
|
|
|
|
|
} else {
|
|
|
|
|
$this->assertArrayHasKey('errors', $response['body']);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-14 08:11:39 +00:00
|
|
|
public function testComplexQueryBlocked()
|
|
|
|
|
{
|
|
|
|
|
$projectId = $this->getProject()['$id'];
|
2025-08-19 11:03:18 +00:00
|
|
|
$query = $this->getQuery(self::COMPLEX_QUERY_TABLE);
|
2022-07-14 08:11:39 +00:00
|
|
|
$graphQLPayload = [
|
|
|
|
|
'query' => $query,
|
|
|
|
|
'variables' => [
|
|
|
|
|
'userId' => 'user',
|
|
|
|
|
'email' => 'user@appwrite.io',
|
|
|
|
|
'password' => 'password',
|
|
|
|
|
'databaseId' => 'database',
|
|
|
|
|
'databaseName' => 'database',
|
2025-05-09 14:34:02 +00:00
|
|
|
'tableId' => 'table',
|
2025-05-10 06:27:32 +00:00
|
|
|
'tableName' => 'table',
|
|
|
|
|
'tablePermissions' => [
|
2022-09-20 08:25:05 +00:00
|
|
|
Permission::read(Role::users()),
|
|
|
|
|
Permission::create(Role::users()),
|
|
|
|
|
Permission::update(Role::users()),
|
|
|
|
|
Permission::delete(Role::users()),
|
|
|
|
|
],
|
2025-05-09 14:34:02 +00:00
|
|
|
'rowSecurity' => false,
|
2022-07-14 08:11:39 +00:00
|
|
|
],
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
2025-05-09 14:34:02 +00:00
|
|
|
], $this->getHeaders()), $graphQLPayload);
|
2022-07-14 08:11:39 +00:00
|
|
|
|
2024-04-01 11:02:47 +00:00
|
|
|
$max = System::getEnv('_APP_GRAPHQL_MAX_QUERY_COMPLEXITY', 250);
|
2022-07-18 02:53:49 +00:00
|
|
|
|
2022-10-28 07:13:48 +00:00
|
|
|
$this->assertEquals('Max query complexity should be ' . $max . ' but got 259.', $response['body']['errors'][0]['message']);
|
2022-07-14 08:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function testTooManyQueriesBlocked()
|
|
|
|
|
{
|
|
|
|
|
$projectId = $this->getProject()['$id'];
|
2024-04-01 11:02:47 +00:00
|
|
|
$maxQueries = System::getEnv('_APP_GRAPHQL_MAX_QUERIES', 10);
|
2022-07-14 08:11:39 +00:00
|
|
|
|
|
|
|
|
$query = [];
|
2026-04-01 17:31:11 +00:00
|
|
|
for ($i = 0; $i <= ((int) $maxQueries) + 1; $i++) {
|
2025-08-19 11:03:18 +00:00
|
|
|
$query[] = ['query' => $this->getQuery(self::LIST_COUNTRIES)];
|
2022-07-14 08:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', \array_merge([
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
|
], $this->getHeaders()), $query);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals('Too many queries.', $response['body']['message']);
|
|
|
|
|
}
|
2022-10-28 07:13:48 +00:00
|
|
|
|
2025-05-10 06:09:46 +00:00
|
|
|
private function createTable(): array
|
2022-10-28 07:13:48 +00:00
|
|
|
{
|
|
|
|
|
$projectId = $this->getProject()['$id'];
|
2025-08-19 11:03:18 +00:00
|
|
|
$query = $this->getQuery(self::CREATE_DATABASE);
|
2022-10-28 07:13:48 +00:00
|
|
|
$gqlPayload = [
|
|
|
|
|
'query' => $query,
|
|
|
|
|
'variables' => [
|
|
|
|
|
'databaseId' => 'actors',
|
|
|
|
|
'name' => 'AbuseDatabase',
|
|
|
|
|
]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', [
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
|
'x-appwrite-key' => $this->getProject()['apiKey'],
|
|
|
|
|
], $gqlPayload);
|
|
|
|
|
|
2025-06-19 13:06:32 +00:00
|
|
|
$databaseId = $response['body']['data']['databasesCreate']['_id'];
|
2022-10-28 07:13:48 +00:00
|
|
|
|
2025-08-19 11:03:18 +00:00
|
|
|
$query = $this->getQuery(self::CREATE_TABLE);
|
2022-10-28 07:13:48 +00:00
|
|
|
$gqlPayload = [
|
|
|
|
|
'query' => $query,
|
|
|
|
|
'variables' => [
|
|
|
|
|
'databaseId' => $databaseId,
|
2025-05-09 14:34:02 +00:00
|
|
|
'tableId' => 'actors',
|
2022-10-28 07:13:48 +00:00
|
|
|
'name' => 'Actors',
|
2025-05-09 14:34:02 +00:00
|
|
|
'rowSecurity' => false,
|
2022-10-28 07:13:48 +00:00
|
|
|
'permissions' => [
|
|
|
|
|
Permission::read(Role::any()),
|
|
|
|
|
Permission::write(Role::any()),
|
|
|
|
|
],
|
|
|
|
|
]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$response = $this->client->call(Client::METHOD_POST, '/graphql', [
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
|
'x-appwrite-key' => $this->getProject()['apiKey'],
|
|
|
|
|
], $gqlPayload);
|
|
|
|
|
|
2025-08-20 14:20:05 +00:00
|
|
|
$tableId = $response['body']['data']['tablesDBCreateTable']['_id'];
|
2022-10-28 07:13:48 +00:00
|
|
|
|
2025-08-19 11:03:18 +00:00
|
|
|
$query = $this->getQuery(self::CREATE_STRING_COLUMN);
|
2022-10-28 07:13:48 +00:00
|
|
|
$gqlPayload = [
|
|
|
|
|
'query' => $query,
|
|
|
|
|
'variables' => [
|
|
|
|
|
'databaseId' => $databaseId,
|
2025-05-09 14:34:02 +00:00
|
|
|
'tableId' => $tableId,
|
2022-10-28 07:13:48 +00:00
|
|
|
'key' => 'name',
|
|
|
|
|
'size' => 256,
|
|
|
|
|
'required' => true,
|
|
|
|
|
]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$this->client->call(Client::METHOD_POST, '/graphql', [
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $projectId,
|
|
|
|
|
'x-appwrite-key' => $this->getProject()['apiKey'],
|
|
|
|
|
], $gqlPayload);
|
|
|
|
|
|
2026-02-24 01:00:07 +00:00
|
|
|
$this->assertEventually(function () use ($databaseId, $tableId) {
|
|
|
|
|
$response = $this->client->call(Client::METHOD_GET, '/tablesdb/' . $databaseId . '/tables/' . $tableId . '/columns/name', array_merge([
|
|
|
|
|
'content-type' => 'application/json',
|
|
|
|
|
'x-appwrite-project' => $this->getProject()['$id'],
|
|
|
|
|
'x-appwrite-key' => $this->getProject()['apiKey'],
|
|
|
|
|
]));
|
|
|
|
|
$this->assertEquals('available', $response['body']['status']);
|
|
|
|
|
}, 30000, 250);
|
2022-10-28 07:13:48 +00:00
|
|
|
|
|
|
|
|
return [
|
|
|
|
|
'databaseId' => $databaseId,
|
2025-05-09 14:34:02 +00:00
|
|
|
'tableId' => $tableId,
|
2022-10-28 07:13:48 +00:00
|
|
|
];
|
|
|
|
|
}
|
2022-07-14 08:11:39 +00:00
|
|
|
}
|