Skip to content

Typing misconfiguration

Description

Look for typing misconfigurations by checking if a mutation parameter with the wrong parameter type succeeds.

Remediation

Do not resolve queries with a wrong argument type.

GraphQL Specific

Apollo Ensure that all configurations in the Apollo framework engine are correctly set according to the official Apollo documentation. Double-check environment variables, API endpoints, and other settings for accuracy. Use a version control system to track changes and facilitate rollback in case of misconfiguration. Additionally, consider implementing automated checks or a configuration management tool to validate settings before deployment.
Yoga Ensure that the Yoga framework engine configuration files are correctly set with the appropriate parameters, paying close attention to syntax and data types. Validate the configuration by using schema validation tools or built-in framework validators if available. Regularly review and test the configuration in a controlled environment before deploying to production.
Awsappsync To address typing misconfigurations in AWS AppSync, ensure that your schema definitions match the expected types in your resolvers. Validate the schema with AWS AppSync's built-in tools before deployment. Additionally, implement unit tests for your resolvers to catch typing issues early in the development process. Use AWS CloudFormation or the AWS CLI to automate and roll back deployments in case of configuration errors.
Graphqlgo Ensure proper validation and sanitization of user inputs to prevent injection attacks. Implement strict type checking and use parameterized queries or prepared statements to handle data passed to the GraphQL engine. Regularly review and update security configurations and dependencies to mitigate potential vulnerabilities.
Graphqlruby Ensure that the GraphQL Ruby framework is properly configured to use prepared statements or parameterized queries to prevent potential injection attacks. Regularly review and update the configuration settings to maintain security as the application evolves.
Hasura Ensure that the Hasura GraphQL engine configuration is set correctly by reviewing the environment variables and settings in the `config.yaml` file. Verify that the database connection strings, API ports, and other critical settings are accurate and secure. Additionally, use role-based access control to restrict permissions and apply policies that enforce strong security practices. Regularly update the Hasura engine to the latest version to benefit from security patches and improvements.

REST Specific

Asp_net Ensure strong typing in ASP.NET by using explicit data types and model binding. Validate all inputs against expected types and handle parsing errors gracefully to prevent type-related vulnerabilities.
Ruby_on_rails In Ruby on Rails, ensure strong parameter validation by using the built-in `require` and `permit` methods to whitelist allowed parameters. Additionally, employ Active Record validations to enforce data types and constraints at the model level.
Next_js Ensure proper validation of input types and implement strict type checking in API endpoints to prevent typing misconfigurations in the Next.js application.
Laravel In Laravel, ensure that you are using Eloquent ORM or the query builder's parameter binding to prevent typing misconfigurations and SQL injection vulnerabilities. Avoid using raw queries with user input. Always validate and sanitize input data.
Express_js Ensure proper validation of input types and implement middleware such as `express-validator` to check for data types and patterns before processing requests.
Django In Django, ensure that all query parameters are properly escaped by using the ORM's built-in querysets or by employing parameterized queries with `raw()` or `execute()` methods. Avoid string formatting or concatenation to prevent SQL injection vulnerabilities.
Symfony In Symfony, ensure that you use the built-in form component with proper data types and validation rules to prevent typing misconfigurations. Additionally, leverage the ParamConverter feature for type-hinting and automatic validation of request parameters.
Spring_boot Ensure strong typing in Spring Boot by using DTOs (Data Transfer Objects) with proper validation annotations, and leverage Spring's built-in type conversion to prevent type-related misconfigurations. Additionally, use @Valid on controller method parameters to enforce validation rules.
Flask Ensure proper type checking of user inputs and utilize Flask-WTF or similar extensions to validate form data. Implement custom validation logic if necessary to catch typing misconfigurations.
Nuxt Ensure proper validation of input types and implement strict type checking before passing data to components or API endpoints in Nuxt.js applications to prevent typing misconfigurations.
Fastapi In FastAPI, ensure that all endpoint parameters are explicitly typed and validated using Pydantic models or FastAPI's built-in validation. Use dependency injection to share common validation logic across endpoints.

Configuration

Identifier: schema/typing_misconfiguration

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  schema/typing_misconfiguration:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023

  • pci: 6.5.1

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/RL:O/RC:C

References