Resource Limitation: GraphQL Recursive Fragment¶

Identifier: graphql_recursive_fragment

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

The issue happens when a query is crafted to call a GraphQL fragment recursively without proper checks, causing the system's stack to overflow. Without control measures, attackers can send these repetitive queries to overload the system, leading to a denial of service where the server might crash or be unable to handle normal requests. Developers sometimes miss validating recursion limits in queries, which leaves the application vulnerable. This can turn into a major problem if an attacker takes advantage of it, ultimately causing service disruptions or downtime.

References:

https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_recursive_fragment:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.