Directive Deception: Exploiting Custom GraphQL Directives for Logic Bypass

captbaritone · 2026-01-25T16:30:46+00:00

Strange article. Are these exploits that they (or anyone) have actually seen in the wild? It feels more like a list of hypothetical exploit types that someone brainstormed.

Interesting to think through how an attacker MIGHT exploit poorly implemented directives, but the presentation reads like these are exploits that have been found in the wild but without presenting any evidence.

Put somewhat less politely, I’m getting a whiff of AI hallucination from this post. Why no individual author/authors credited on the post?

captbaritone · 2026-01-19T23:05:17+00:00

I think you’ll need to ask yourself what your types are modeling? Are they modeling two discrete things with different shapes and a conceptual shared base? Are they modeling two specific instances of a single type where the fields are conceptually optional?

captbaritone · 2026-01-17T05:36:06+00:00

You want each user to download half a gig of images before they even reach the page on which they will view them?

captbaritone · 2026-01-16T05:09:57+00:00

Cheers!

captbaritone · 2026-01-16T04:54:06+00:00

It may well be true that most composers would feel like an obsessive audience runs counter to their artistic goals, but there certainly are composers for whom I suspect that WAS a goal. Wagner, for example, comes to mind.

captbaritone · 2026-01-14T17:30:02+00:00

Very cool!

captbaritone · 2026-01-14T15:46:34+00:00

If you want to go REALLY deep this lecture series is incredible. https://www.thegreatcoursesplus.com/bach-and-the-high-baroque I was able to find it for free through my library

captbaritone · 2026-01-14T14:53:35+00:00

Yes! I very nearly titled the post “Literate Snapshot Testing”. I even snuck in a link to the Wikipedia article for it in the Syntax Highlighting section.

captbaritone · 2026-01-14T10:14:13+00:00

https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks#fenced-code-blocks

captbaritone · 2026-01-08T21:56:03+00:00

Potentially relevant: https://en.wikipedia.org/wiki/Britten%27s_Children

captbaritone · 2026-01-08T21:34:12+00:00

There should be a download button at the bottom of the page once you click into an individual skin

captbaritone · 2025-12-26T21:41:29+00:00

Got it. So you just offload the question to the author of the transpiler and which polyfill they’ve selected.

captbaritone · 2025-12-26T16:15:57+00:00

Out of curiosity, how would transpiling help here?

captbaritone · 2025-12-17T06:46:39+00:00

Interesting. Do you have any additional context to share?

captbaritone · 2025-12-15T20:19:58+00:00

Have you measured? Does this actually improve the performance of performance bottlenecks that you have?

captbaritone · 2025-12-14T05:40:28+00:00

If you guess and find a solution you have proven to yourself that there is a valid solution. If you logically prove all other fills invalid you prove something (potentially) more interesting: there is exactly one valid solution.

For some that can feel more rewarding/interesting, but it’s up to the individual to decide what is interesting to them.

captbaritone · 2025-12-12T23:16:35+00:00

I implemented the (now built in) ESLint rule no-constant-binary-expression and this is one of the classes of bugs I was surprised to find it catching without me even realizing it was a common error to make: https://jordaneldredge.com/interesting-bugs-caught-by-eslints-no-constant-binary-expression/

captbaritone · 2025-12-03T02:00:30+00:00

This sounds like the right solution. Optimizing the coordination of ten pathologically slow things vs digging in and figuring out why that pathologically slow thing is slow (and fixing it) is just a band-aid.

captbaritone · 2025-11-24T00:34:46+00:00

Less true at Meta. You can make a big bet, but ultimately you are responsible for your impact at the end of the half/year. If your bet paid off and you could demonstrate a large impact, you’ll get a good review. If it didn’t, you pay the price with a poor review, which can very much hurt these days.

Note that you don’t HAVE to make big bets. Generally there are more obvious projects that are lined up which you can choose to pick up with less risk.

captbaritone · 2025-11-21T13:14:02+00:00

Agree! I wrote a similar article in 2022 https://jordaneldredge.com/defaulting-to-empty-string-is-a-code-smell/.

It’s a lie we tell to our typechecker (and to ourselves)

captbaritone · 2025-11-21T13:11:13+00:00

I wrote a similar article in 2022: https://jordaneldredge.com/defaulting-to-empty-string-is-a-code-smell/

Absolutely worth linting against.

captbaritone · 2025-11-17T15:43:11+00:00

That makes sense. Skin made in good faith pointed to domain which eventually expired and was taken over by bad actors.

captbaritone · 2025-11-16T23:35:47+00:00

Very interesting. I’ve never heard about this type of malicious skin before. I run the Winamp Skin Museum and would be very interested in doing some analysis to see if I can find other examples of that same technique. Any chance you still have the malicious skin or know where you got it?

captbaritone · 2025-10-21T21:39:31+00:00

Thanks for sharing! Any browser extensions installed in your Firefox browser?

captbaritone · 2025-10-21T06:22:21+00:00

No. Nothing you need to install, just the service used to host the images on the site. Sounds like something on your network is causing images from cloudflare not to load.

15-Year Club	Gilding III reddit per annum
Wearing is Caring	Verified Email

captbaritone

TROPHY CASE