show a best practice where we omit limit so attackers cant abuse that surface

JoviDeCroock · JoviDeCroock · commit 7b461fc30955 · 2023-12-04T10:59:35.000+01:00
diff --git a/examples/next/app/client/page.tsx b/examples/next/app/client/page.tsx
@@ -23,8 +23,8 @@ export default function Page() {
 }
 
 const LaunchesQuery = graphql(`
-  query Launches_SSR($limit: Int, $offset: Int) {
-    launches(limit: $limit, offset: $offset) {
+  query Launches_SSR($offset: Int) {
+    launches(limit: 10, offset: $offset) {
       nodes {
         id
         ...LaunchFields
@@ -44,7 +44,7 @@ function Launches() {
 
   const [result] = useQuery({
     query: LaunchesQuery,
-    variables: { limit: 10, offset },
+    variables: { offset },
   })
 
   return (
diff --git a/examples/next/app/rsc/page.tsx b/examples/next/app/rsc/page.tsx
@@ -24,8 +24,8 @@ const { getClient } = registerClient(() =>
 )
 
 const LaunchesQuery = graphql(`
-  query Launches_RSC($limit: Int, $offset: Int) {
-    launches(limit: $limit, offset: $offset) {
+  query Launches_RSC($offset: Int) {
+    launches(limit: 10, offset: $offset) {
       nodes {
         id
         ...LaunchFields
diff --git a/examples/next/fuse/gql.ts b/examples/next/fuse/gql.ts
@@ -13,9 +13,9 @@ import { TypedDocumentNode as DocumentNode } from '@graphql-typed-document-node/
  * Therefore it is highly recommended to use the babel or swc plugin for production.
  */
 const documents = {
-  '\n  query Launches_SSR($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n':
+  '\n  query Launches_SSR($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n':
     types.Launches_SsrDocument,
-  '\n  query Launches_RSC($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n':
+  '\n  query Launches_RSC($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n':
     types.Launches_RscDocument,
   '\n  query LaunchDetails($id: ID!) {\n    node(id: $id) {\n      ... on Launch {\n        id\n        name\n        details\n        launchDate\n        image\n        site {\n          ...LaunchSiteFields\n        }\n        rocket {\n          cost\n          country\n          company\n          description\n        }\n      }\n    }\n  }\n':
     types.LaunchDetailsDocument,
@@ -27,7 +27,7 @@ const documents = {
     types.SiteLocationFieldsFragmentDoc,
   '\n  fragment TotalCountFields on QueryLaunchesList {\n    totalCount\n  }\n':
     types.TotalCountFieldsFragmentDoc,
-  '\n  query PageLaunches($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n':
+  '\n  query PageLaunches($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n':
     types.PageLaunchesDocument,
 }
 
@@ -49,14 +49,14 @@ export function graphql(source: string): unknown
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(
-  source: '\n  query Launches_SSR($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n',
-): (typeof documents)['\n  query Launches_SSR($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n']
+  source: '\n  query Launches_SSR($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n',
+): (typeof documents)['\n  query Launches_SSR($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n']
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(
-  source: '\n  query Launches_RSC($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n',
-): (typeof documents)['\n  query Launches_RSC($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n']
+  source: '\n  query Launches_RSC($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n',
+): (typeof documents)['\n  query Launches_RSC($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        ...LaunchFields\n      }\n      ...TotalCountFields\n    }\n  }\n']
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -91,8 +91,8 @@ export function graphql(
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(
-  source: '\n  query PageLaunches($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n',
-): (typeof documents)['\n  query PageLaunches($limit: Int, $offset: Int) {\n    launches(limit: $limit, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n']
+  source: '\n  query PageLaunches($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n',
+): (typeof documents)['\n  query PageLaunches($offset: Int) {\n    launches(limit: 10, offset: $offset) {\n      nodes {\n        id\n        name\n      }\n      totalCount\n    }\n  }\n']
 
 export function graphql(source: string) {
   return (documents as any)[source] ?? {}
diff --git a/examples/next/fuse/graphql.ts b/examples/next/fuse/graphql.ts
@@ -146,7 +146,6 @@ export type User = Node & {
 }
 
 export type Launches_SsrQueryVariables = Exact<{
-  limit?: InputMaybe<Scalars['Int']['input']>
   offset?: InputMaybe<Scalars['Int']['input']>
 }>
 
@@ -166,7 +165,6 @@ export type Launches_SsrQuery = {
 }
 
 export type Launches_RscQueryVariables = Exact<{
-  limit?: InputMaybe<Scalars['Int']['input']>
   offset?: InputMaybe<Scalars['Int']['input']>
 }>
 
@@ -255,7 +253,6 @@ export type TotalCountFieldsFragment = {
 } & { ' $fragmentName'?: 'TotalCountFieldsFragment' }
 
 export type PageLaunchesQueryVariables = Exact<{
-  limit?: InputMaybe<Scalars['Int']['input']>
   offset?: InputMaybe<Scalars['Int']['input']>
 }>
 
@@ -390,22 +387,14 @@ export const TotalCountFieldsFragmentDoc = {
   ],
 } as unknown as DocumentNode<TotalCountFieldsFragment, unknown>
 export const Launches_SsrDocument = {
-  __meta__: { hash: 'bb6e5ac452c5d08659b1855799a08ee2543a05ca' },
+  __meta__: { hash: '152c2558141de086b4bd6905725533e9f7949725' },
   kind: 'Document',
   definitions: [
     {
       kind: 'OperationDefinition',
       operation: 'query',
       name: { kind: 'Name', value: 'Launches_SSR' },
       variableDefinitions: [
-        {
-          kind: 'VariableDefinition',
-          variable: {
-            kind: 'Variable',
-            name: { kind: 'Name', value: 'limit' },
-          },
-          type: { kind: 'NamedType', name: { kind: 'Name', value: 'Int' } },
-        },
         {
           kind: 'VariableDefinition',
           variable: {
@@ -426,10 +415,7 @@ export const Launches_SsrDocument = {
               {
                 kind: 'Argument',
                 name: { kind: 'Name', value: 'limit' },
-                value: {
-                  kind: 'Variable',
-                  name: { kind: 'Name', value: 'limit' },
-                },
+                value: { kind: 'IntValue', value: '10' },
               },
               {
                 kind: 'Argument',
@@ -508,22 +494,14 @@ export const Launches_SsrDocument = {
   ],
 } as unknown as DocumentNode<Launches_SsrQuery, Launches_SsrQueryVariables>
 export const Launches_RscDocument = {
-  __meta__: { hash: '616ad65c55a2a69941aff21ec3c1d0964773771f' },
+  __meta__: { hash: '0192e96f2b35d87a9354448458e417c76a10df21' },
   kind: 'Document',
   definitions: [
     {
       kind: 'OperationDefinition',
       operation: 'query',
       name: { kind: 'Name', value: 'Launches_RSC' },
       variableDefinitions: [
-        {
-          kind: 'VariableDefinition',
-          variable: {
-            kind: 'Variable',
-            name: { kind: 'Name', value: 'limit' },
-          },
-          type: { kind: 'NamedType', name: { kind: 'Name', value: 'Int' } },
-        },
         {
           kind: 'VariableDefinition',
           variable: {
@@ -544,10 +522,7 @@ export const Launches_RscDocument = {
               {
                 kind: 'Argument',
                 name: { kind: 'Name', value: 'limit' },
-                value: {
-                  kind: 'Variable',
-                  name: { kind: 'Name', value: 'limit' },
-                },
+                value: { kind: 'IntValue', value: '10' },
               },
               {
                 kind: 'Argument',
@@ -796,22 +771,14 @@ export const LaunchDetailsDocument = {
   ],
 } as unknown as DocumentNode<LaunchDetailsQuery, LaunchDetailsQueryVariables>
 export const PageLaunchesDocument = {
-  __meta__: { hash: '351e381d4b9bbd1da05483d9f533cc48dfcd2777' },
+  __meta__: { hash: '05081df7e8571aaa7aa52b3a7abbc88857c55a6c' },
   kind: 'Document',
   definitions: [
     {
       kind: 'OperationDefinition',
       operation: 'query',
       name: { kind: 'Name', value: 'PageLaunches' },
       variableDefinitions: [
-        {
-          kind: 'VariableDefinition',
-          variable: {
-            kind: 'Variable',
-            name: { kind: 'Name', value: 'limit' },
-          },
-          type: { kind: 'NamedType', name: { kind: 'Name', value: 'Int' } },
-        },
         {
           kind: 'VariableDefinition',
           variable: {
@@ -832,10 +799,7 @@ export const PageLaunchesDocument = {
               {
                 kind: 'Argument',
                 name: { kind: 'Name', value: 'limit' },
-                value: {
-                  kind: 'Variable',
-                  name: { kind: 'Name', value: 'limit' },
-                },
+                value: { kind: 'IntValue', value: '10' },
               },
               {
                 kind: 'Argument',
diff --git a/examples/next/fuse/persisted-documents.json b/examples/next/fuse/persisted-documents.json
@@ -1,6 +1,6 @@
 {
-  "bb6e5ac452c5d08659b1855799a08ee2543a05ca": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_SSR($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",
-  "616ad65c55a2a69941aff21ec3c1d0964773771f": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_RSC($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",
+  "152c2558141de086b4bd6905725533e9f7949725": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_SSR($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",
+  "0192e96f2b35d87a9354448458e417c76a10df21": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_RSC($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",
   "06f997a01891cf62f3b0499580b0d70a0d9658ae": "fragment LaunchSiteFields on Site { __typename details id location { __typename ...SiteLocationFields } name status } fragment SiteLocationFields on Location { __typename latitude longitude name region } query LaunchDetails($id: ID!) { __typename node(id: $id) { __typename ... on Launch { __typename details id image launchDate name rocket { __typename company cost country description } site { __typename ...LaunchSiteFields } } } }",
-  "351e381d4b9bbd1da05483d9f533cc48dfcd2777": "query PageLaunches($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id name } totalCount } }"
+  "05081df7e8571aaa7aa52b3a7abbc88857c55a6c": "query PageLaunches($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id name } totalCount } }"
 }
diff --git a/examples/next/pages/test.tsx b/examples/next/pages/test.tsx
@@ -26,8 +26,8 @@ function Page() {
 }
 
 const LaunchesQuery = graphql(`
-  query PageLaunches($limit: Int, $offset: Int) {
-    launches(limit: $limit, offset: $offset) {
+  query PageLaunches($offset: Int) {
+    launches(limit: 10, offset: $offset) {
       nodes {
         id
         name
@@ -44,7 +44,7 @@ function Launches() {
 
   const [result] = useQuery({
     query: LaunchesQuery,
-    variables: { limit: 10, offset },
+    variables: { offset },
   })
 
   return (
@@ -69,7 +69,7 @@ export async function getServerSideProps() {
     exchanges: [cacheExchange, ssrCache, persistedExchange, fetchExchange],
   })
 
-  await client.query(LaunchesQuery, { limit: 10, offset: 0 }).toPromise()
+  await client.query(LaunchesQuery, { offset: 0 }).toPromise()
 
   const graphqlState = ssrCache.extractData()
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`		`- "bb6e5ac452c5d08659b1855799a08ee2543a05ca": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_SSR($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",`
`3`		`- "616ad65c55a2a69941aff21ec3c1d0964773771f": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_RSC($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",`
	`2`	`+ "152c2558141de086b4bd6905725533e9f7949725": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_SSR($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",`
	`3`	`+ "0192e96f2b35d87a9354448458e417c76a10df21": "fragment LaunchFields on Launch { __typename id image launchDate name } fragment TotalCountFields on QueryLaunchesList { __typename totalCount } query Launches_RSC($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id ...LaunchFields } ...TotalCountFields } }",`
`4`	`4`	`"06f997a01891cf62f3b0499580b0d70a0d9658ae": "fragment LaunchSiteFields on Site { __typename details id location { __typename ...SiteLocationFields } name status } fragment SiteLocationFields on Location { __typename latitude longitude name region } query LaunchDetails($id: ID!) { __typename node(id: $id) { __typename ... on Launch { __typename details id image launchDate name rocket { __typename company cost country description } site { __typename ...LaunchSiteFields } } } }",`
`5`		`- "351e381d4b9bbd1da05483d9f533cc48dfcd2777": "query PageLaunches($limit: Int, $offset: Int) { __typename launches(limit: $limit, offset: $offset) { __typename nodes { __typename id name } totalCount } }"`
	`5`	`+ "05081df7e8571aaa7aa52b3a7abbc88857c55a6c": "query PageLaunches($offset: Int) { __typename launches(limit: 10, offset: $offset) { __typename nodes { __typename id name } totalCount } }"`
`6`	`6`	`}`