Skip to content

GraphQL Extension Disclosure

Description

GraphQL extensions are a powerful feature that can be used to add custom functionality to your GraphQL server. However, they can also expose sensitive information about your server configuration, such as the schema, resolvers, and other implementation details. This information can be used by attackers to craft more effective attacks against your server.

To prevent GraphQL extension disclosure, ensure that you do not expose sensitive information in your GraphQL extensions. If you need to use extensions for debugging or monitoring purposes, make sure to disable them in production environments.

Remediation

To prevent GraphQL extension disclosure, follow these best practices:

  • Limit the information exposed in your GraphQL extensions to only what is necessary for debugging or monitoring purposes.

GraphQL Specific

Apollo For Apollo Server, disable introspection and the GraphQL Playground in production by setting 'introspection' and 'playground' to false in the server configuration. Additionally, consider using the 'apollo-server-plugin-response-cache' to add caching and reduce the risk of information leakage through error messages or extensions.
Yoga For Yoga framework engine, ensure that GraphQL extensions are disabled in production to prevent sensitive information disclosure. Use environment variables to conditionally enable extensions only in development or staging environments.
Awsappsync For AWS AppSync, ensure that the 'aws_appsync_graphqlEndpoint' is not publicly exposed and that appropriate authentication mechanisms are in place. Disable unnecessary extensions and verbose error messages in production to prevent information leakage. Implement fine-grained access controls using AWS IAM and AppSync resolvers to limit access to sensitive data and operations.
Graphqlgo To mitigate the risk of GraphQL extension disclosure in the GraphQLGo framework, configure the server to disable extensions in production. Use environment variables to conditionally enable extensions only in development or staging environments. Regularly audit your GraphQL extensions to ensure they do not leak sensitive information and adhere to the principle of least privilege by only granting necessary access rights to the extensions.
Graphqlruby In the GraphQLRuby framework, disable introspection and extension information in production by setting `introspection` and `debug` to false within your GraphQL schema configuration. This prevents the exposure of sensitive schema details and ensures that extensions do not reveal implementation specifics that could be leveraged by attackers.
Hasura For Hasura GraphQL engine, ensure that introspection and the GraphQL Playground are disabled in production. Use environment variables to configure the engine, setting 'HASURA_GRAPHQL_ENABLE_INTROSPECTION' and 'HASURA_GRAPHQL_ENABLE_PLAYGROUND' to 'false'. Additionally, implement proper authentication and authorization mechanisms to restrict access to the GraphQL API.
Agoo Ensure that sensitive information is not exposed through GraphQL extensions in the Agoo framework by disabling them in production environments and using them cautiously for debugging or monitoring purposes only.
Ariadne Ensure that Ariadne's debug mode is disabled in production to prevent exposure of sensitive information.
Caliban Ensure that Caliban framework extensions do not expose sensitive information by disabling them in production environments and using them only for development and debugging purposes.
Dgraph Ensure that sensitive GraphQL extensions are disabled in production environments to prevent exposure of server configuration details.
Dianajl Ensure that sensitive information is not exposed through GraphQL extensions and disable them in production environments to prevent potential attacks.
Directus Ensure that sensitive data and endpoints are properly secured and authenticated in the Directus framework to prevent unauthorized access.
Flutter Ensure that debug mode is disabled in production builds to prevent the exposure of sensitive information and to optimize performance in Flutter applications.
Graphene Ensure that Graphene extensions do not expose sensitive server details by disabling them in production environments and only enabling them for development or debugging purposes.
Graphqlapiforwp Ensure that the GraphQL API for WP framework engine does not expose sensitive information by disabling debugging and monitoring extensions in production environments.
Graphqlgophergo Ensure that GraphQLGopherGo framework engine is configured to restrict access to sensitive schema and resolver information, and disable any debugging extensions in production environments to prevent information disclosure.
Graphqljava Disable introspection queries in production environments to prevent exposure of your GraphQL schema and implementation details.
Graphqlphp Ensure that GraphQL extensions in the graphql-php framework do not expose sensitive information by disabling them in production environments and only enabling them for debugging or monitoring in development settings.
Graphqlyoga Disable introspection queries in production environments to prevent exposure of your GraphQL schema and implementation details when using the GraphQL Yoga framework.
Hypergraphql Ensure that the HyperGraphQL engine is configured to restrict access to sensitive schema details and disable any debugging extensions in production environments.
Jaal Ensure that the Jaal framework engine is configured to restrict access to sensitive endpoints and data, and disable any debugging or verbose logging features in production environments to prevent information leakage.
Juniper Ensure that sensitive configuration details are not exposed in the Juniper framework engine by properly securing access controls and disabling verbose error messages in production environments.
Lacinia Ensure that Lacinia's introspection queries are disabled in production to prevent exposure of sensitive schema details.
Lighthouse Ensure that sensitive data is not exposed through the Lighthouse framework by properly configuring access controls and disabling debug mode in production environments.
Mercurius Ensure that Mercurius extensions do not expose sensitive information by disabling them in production environments and only enabling them for debugging or monitoring in development settings.
Morpheusgraphql Ensure that the MorpheusGraphQL framework engine is configured to restrict access to sensitive schema and resolver information, and disable any debugging or monitoring extensions in production environments to prevent information disclosure.
Qglgen Ensure that sensitive information is not exposed through gqlgen extensions by disabling them in production environments and reviewing extension configurations for any potential leaks.
Sangria Ensure that sensitive information is not exposed through Sangria framework extensions by disabling them in production environments and using them only for development or debugging purposes.
Shopify Ensure that sensitive data is not exposed through GraphQL extensions by disabling them in production environments and only using them for debugging or monitoring in development settings.
Stepzen Ensure that GraphQL extensions in the StepZen framework do not expose sensitive information by disabling them in production environments and only using them for debugging or monitoring in development settings.
Strawberry Ensure that the Strawberry framework's debug mode is disabled in production to prevent the exposure of sensitive information.
Tartiflette Ensure that sensitive information is not exposed through GraphQL extensions in the Tartiflette framework by disabling them in production environments and using them cautiously for debugging or monitoring purposes.
Wpgraphql Ensure that wpgraphql is configured to restrict access to sensitive schema information and disable introspection queries in production environments to prevent unauthorized access.

Configuration

Identifier: configuration/graphql_extension_disclosure

Examples

Ignore this check

checks:
  configuration/graphql_extension_disclosure:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.13.1
  • nist: SP800-95
  • fedramp: AC-6

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVSS_SCORE: 4.3