Skip to content

Character limit

Description

Clients using GraphQL may craft a query with a huge amount of characters. This could lead to potential DoS attacks or information leakage.

Remediation

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

This naïve approach will not prevent clever hackers from crafting costly requests if short field names are available. One should prefer the better but more difficult to implement "query complexity" method and set a complexity threshold instead.

GraphQL Specific

Apollo Ensure proper input validation and sanitization to prevent injection attacks when using Apollo framework engine.
Yoga To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions, adhere to best practices in error handling, and maintain a consistent code review process to identify potential vulnerabilities or bugs early in the development cycle.
Awsappsync Ensure that AWS AppSync resolvers are using VTL templates to sanitize and validate input data to prevent injection attacks. Implement authorization checks and configure service limits to mitigate against denial-of-service attacks.
Graphqlgo To mitigate potential security risks in the GraphQL Go framework engine, ensure that all user-supplied inputs are validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update dependencies to their latest secure versions. Additionally, consider using a query complexity analysis tool to prevent resource exhaustion attacks.
Graphqlruby Ensure proper input validation and sanitization to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the types and shapes of allowable queries. Additionally, consider implementing query complexity analysis to prevent overly complex queries from consuming excessive resources.
Hasura To ensure the security and efficiency of your Hasura GraphQL engine, always use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, validate and sanitize all user inputs to maintain the integrity of your database operations.

Configuration

Identifier: resource_limitation/character_limit

Options

  • threshold : Maximum characters before raising an alert (-1 = infinite)

Examples

Ignore this check

checks:
  resource_limitation/character_limit:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023

  • pci: 6.5.10

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
  • CVSS_SCORE: 4.9

References