[Improper parsing]: Hackerone #129
Comments
|
Well after 10 more mins the result finally appeared but blank |
|
Thank you for the report! The Activity query alone takes 2 minutes to get parsed on my machine. I filed the issue with GQLSpection, will take a look at optimizations we could add here: doyensec/GQLSpection#32 The next InQL version contains syntax highlighting which causes some additional drop in performance, so we definitely need to address it. |
execveat
added
Bug
|
Thanks for looking into it🙂 Thanks |
|
So, this turned out to be way more complicated than I initially thought. I'm planning to address the performance issue by reducing recursion to an iterative loop and generating queries on demand (so, only when you click one, not ahead of time). Initially this was planned for a future release, but it looks like a release breaking issue now. In case of H1 specifically, some queries right now are more than 1GB in size which explains the observed RAM usage. Obviously, this size makes them completely impractical to work with. So we could just add a sanity check that detects these huge queries and refuses to work with them, but obviously these problematic queries might very well be the most interesting ones, so in my view you should be able to work with them using Burp & InQL (on a beefy machine). So, it's a complicated problem that will likely need to be addressed both from performance tuning perspective (everything's single core right now...) as well as from the UI/UX to intelligently disable heavyweight features such as syntax highlighting and inline comments for larger queries. Stay tuned. |
|
I replaced the recursion with a loop and the parsing time for the whole h1 schema (on my machine) now is under 2 minutes. I will try to reduce this loading time further by generating queries on demand (upon the click) instead of ahead-of-time, as well as introducing parallelization. You can try the new version, but it's not release ready yet. Clicking larger queries (like |
|
I also experienced this problem. I load from introspection (json file) takes -+ 45 minutes. but when clicking to view it can't be seen (I'm using the version from the baap store 10 oct 2023) |
* First Kotlin-rewritten version * Removed references to Burp's legacy API * Upgrade gradlew wrapper * Bump upgraded features for compatibility with the future Gradle & Java * Add pre-commit linters * Fix style issues suggested by ktlint * Add embedded GraphiQL #111 * Add GraphQL Playground and GraphQL Voyager * Add "Send to" buttons in GraphiQL * Refactoring build scripts to use Taskfile for parallelization * Eject graphiql * Eject Playground * Eject Voyager * Move web apps rebuilds from Gradle to Taskfile * Enable output from the build process * Fix a bug that reset File to null after first failure. * Fix the argument parsing to support arguments with the whitespace * Lower the watch interval by default * Modify right click handlers to support configuration through InQL Settings * Expose embedded web IDEs in the context menu * Fixes #132 * Fixes #127 * Pull in updated GQLSpection for faster parsing (#129) * A bunch of minor performance improvements #129 * Try introspection query from latest to earliest - Closes #134 * Optimized Taskfile * Added node_modules to .gitignore * Updated build.gradle * Refactored embedded webserver, fixed CORS and Introspection cache * Taskfile: add default task * Implemented accurate embedded browser opening * Implemented External Tool Webserver Lazy Loading * Made some Chromium args dynamic based on current env * Added missing item in context menu items list * Improved GraphQL request detection * Added "Save to file" action * Fixed some warnings * Made sendToEmbeddedToolActions a list * Fixed getGraphQLQuery and reorganized classes in packages * Implemented Proxy Request Highlighter * Fixed some more minor warnings * Injecting Profile's customheaders in requests from inql.burp * Minor optimizations * Fixed settings and added new features options * Formatting is now async and cached to improve performance * Targeting latest GQLSpection commit * Updated GraphiQL yarn checksums * Fixed yarn concurrency issues * Improved params sent to external IDEs * Added option to strip comments when sending query from Scanner Results * Chromium: don't include args if dir not found * Exclude Origin from Session to allow CORS fixing * Polishing for the release * Linked to latest GQLSpection commit * Handle empty queries and mutations * Removing Altair and Playground * Updated GQLSpection to latest commit * Fixing GraphiQL sending to repeater and intruter * Polishing the UI * Fixing active tab bottom border * Adding support for darkmode * Setting new tab title * Upgraded dependencies * Updated contributors * Remove python3 linting stuff * Fixing tab coloring bug * Editable tabs style fixes * Use GQLSpektion * Rename "Attacker" tab to "Batch Queries" * Integrated GraphQL native parsing * Restore data from project file * Fixed glitchy JTree UI * Batch queries view improvements * Add changeListener * Fixing Batch UI * Fixing Batch UI * Adding POI * Adding POI * Adding POI * Adding POI * Adding Cycles Detection * Tiny improvements * Removing "not implemented yet" text from settings * Comment * Changing Scanner view sections % * Fixing formatted editor scroll speed * Adding information about object truncating * Fixing exception when formating queries * Hardcoding jar name * adding .kotlin * Description and others before release to 6.0 --------- Co-authored-by: lokiuox <[email protected]> Co-authored-by: Andrew Konstantinov <[email protected]> Co-authored-by: Savio Sisco <[email protected]>
* First Kotlin-rewritten version * Removed references to Burp's legacy API * Upgrade gradlew wrapper * Bump upgraded features for compatibility with the future Gradle & Java * Add pre-commit linters * Fix style issues suggested by ktlint * Add embedded GraphiQL #111 * Add GraphQL Playground and GraphQL Voyager * Add "Send to" buttons in GraphiQL * Refactoring build scripts to use Taskfile for parallelization * Eject graphiql * Eject Playground * Eject Voyager * Move web apps rebuilds from Gradle to Taskfile * Enable output from the build process * Fix a bug that reset File to null after first failure. * Fix the argument parsing to support arguments with the whitespace * Lower the watch interval by default * Modify right click handlers to support configuration through InQL Settings * Expose embedded web IDEs in the context menu * Fixes #132 * Fixes #127 * Pull in updated GQLSpection for faster parsing (#129) * A bunch of minor performance improvements #129 * Try introspection query from latest to earliest - Closes #134 * Optimized Taskfile * Added node_modules to .gitignore * Updated build.gradle * Refactored embedded webserver, fixed CORS and Introspection cache * Taskfile: add default task * Implemented accurate embedded browser opening * Implemented External Tool Webserver Lazy Loading * Made some Chromium args dynamic based on current env * Added missing item in context menu items list * Improved GraphQL request detection * Added "Save to file" action * Fixed some warnings * Made sendToEmbeddedToolActions a list * Fixed getGraphQLQuery and reorganized classes in packages * Implemented Proxy Request Highlighter * Fixed some more minor warnings * Injecting Profile's customheaders in requests from inql.burp * Minor optimizations * Fixed settings and added new features options * Formatting is now async and cached to improve performance * Targeting latest GQLSpection commit * Updated GraphiQL yarn checksums * Fixed yarn concurrency issues * Improved params sent to external IDEs * Added option to strip comments when sending query from Scanner Results * Chromium: don't include args if dir not found * Exclude Origin from Session to allow CORS fixing * Polishing for the release * Linked to latest GQLSpection commit * Handle empty queries and mutations * Removing Altair and Playground * Updated GQLSpection to latest commit * Fixing GraphiQL sending to repeater and intruter * Polishing the UI * Fixing active tab bottom border * Adding support for darkmode * Setting new tab title * Upgraded dependencies * Updated contributors * Remove python3 linting stuff * Fixing tab coloring bug * Editable tabs style fixes * Use GQLSpektion * Rename "Attacker" tab to "Batch Queries" * Integrated GraphQL native parsing * Restore data from project file * Fixed glitchy JTree UI * Batch queries view improvements * Add changeListener * Fixing Batch UI * Fixing Batch UI * Adding POI * Adding POI * Adding POI * Adding POI * Adding Cycles Detection * Tiny improvements * Removing "not implemented yet" text from settings * Comment * Changing Scanner view sections % * Fixing formatted editor scroll speed * Adding information about object truncating * Fixing exception when formating queries * Hardcoding jar name * adding .kotlin * Description and others before release to 6.0 * Replacing HTML with textPane attempt * New GraphQL Editor WIP * Bump Montoya API lib to access new features * Fix wrong text color * Fix font * Fix context menu * Fix close button * Fix dark mode icons * Fix directory icon not shown * Fix context menu * Fix style cache * Fix scroll speed --------- Co-authored-by: lokiuox <[email protected]> Co-authored-by: Andrew Konstantinov <[email protected]> Co-authored-by: Savio Sisco <[email protected]>
InQL version
BApp Store
GraphQL API
https://hackerone.com/graphql
GraphQL specification version
No response
What isn't working?
I have waited more that 30+ min to show the results of HackerOne Graphql schemas but it is not showing any result
Note:- You need to be authenticated to query graphql on hackerone
It is stuck a this point
The text was updated successfully, but these errors were encountered: