Skip to content

Character limit

Description

Clients using GraphQL may craft a query with a huge amount of characters.

This could lead to potential DoS attacks or information leakage.

Remediation

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

This naive approach will not prevent clever hackers from crafting costly requests if short field names are available. One should prefer the better but more difficult to implement "query complexity" method and set a complexity threshold instead.

GraphQL Specific

Apollo Ensure proper input validation and sanitization to prevent injection attacks when using Apollo framework engine.
Yoga To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions, adhere to best practices in error handling, and maintain a consistent code review process to identify potential vulnerabilities or bugs early in the development cycle.
Awsappsync Ensure that AWS AppSync resolvers are using VTL templates to sanitize and validate input data to prevent injection attacks. Implement authorization checks and configure service limits to mitigate against denial-of-service attacks.
Graphqlgo To mitigate potential security risks in the GraphQL Go framework engine, ensure that all user-supplied inputs are validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update dependencies to their latest secure versions. Additionally, consider using a query complexity analysis tool to prevent resource exhaustion attacks.
Graphqlruby Ensure proper input validation and sanitization to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the types and shapes of allowable queries. Additionally, consider implementing query complexity analysis to prevent overly complex queries from consuming excessive resources.
Hasura To ensure the security and efficiency of your Hasura GraphQL engine, always use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, validate and sanitize all user inputs to maintain the integrity of your database operations.
Agoo Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage in the Agoo framework.
Ariadne Implement a maximum character limit for GraphQL queries in the Ariadne framework to prevent potential DoS attacks and information leakage.
Caliban Implement a maximum character limit for GraphQL queries in the Caliban framework to prevent potential DoS attacks and information leakage.
Dgraph Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage.
Dianajl Implement a character limit on GraphQL queries to prevent excessive payloads and mitigate potential DoS attacks or information leakage in the dianajl framework engine.
Directus Implement query complexity analysis and set character limits to prevent excessive query lengths in Directus.
Flutter Implement query complexity analysis and set character limits for GraphQL queries to prevent potential DoS attacks and information leakage in Flutter applications.
Graphene Implement query complexity analysis and depth limiting in the Graphene framework to prevent overly complex or deep queries that could lead to DoS attacks or information leakage.
Graphqlapiforwp Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage.
Graphqlgophergo Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage.
Graphqljava Implement query complexity analysis and depth limiting in the GraphQL Java engine to prevent overly complex or deep queries that could lead to DoS attacks or information leakage.
Graphqlphp Implement query complexity analysis and depth limiting to prevent overly complex or deep queries in the graphql-php framework.
Graphqlyoga Implement query complexity analysis and depth limiting to prevent overly complex queries in GraphQL Yoga.
Hypergraphql Implement a maximum character limit for GraphQL queries to prevent potential DoS attacks and information leakage.
Jaal Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage.
Juniper Implement a character limit on GraphQL queries to prevent excessive payloads and mitigate potential DoS attacks or information leakage.
Lacinia Implement query depth and complexity analysis to limit the size and complexity of GraphQL queries in the Lacinia framework.
Lighthouse Implement query depth and complexity limits to prevent excessive character usage in GraphQL queries.
Mercurius Implement a character limit on GraphQL queries in the Mercurius framework to prevent potential DoS attacks and information leakage.
Morpheusgraphql Implement a character limit on GraphQL queries in the MorpheusGraphQL framework to prevent potential DoS attacks and information leakage.
Qglgen Implement query depth and complexity analysis in gqlgen to limit the size and complexity of GraphQL queries, preventing potential DoS attacks and information leakage.
Sangria Implement query complexity analysis and depth limiting in the Sangria framework to prevent overly complex or deep queries that could lead to DoS attacks or information leakage.
Shopify Implement a character limit on GraphQL queries to prevent excessively large requests that could lead to DoS attacks or information leakage.
Stepzen Implement query depth and complexity analysis to limit the size and complexity of GraphQL queries in the StepZen framework.
Strawberry Implement a character limit on GraphQL queries in the Strawberry framework to prevent potential DoS attacks and information leakage.
Tartiflette Implement a maximum character limit for GraphQL queries in the Tartiflette framework to prevent potential DoS attacks and information leakage.
Wpgraphql Implement a maximum character limit for GraphQL queries to prevent potential DoS attacks and information leakage in the WPGraphQL framework.

Configuration

Identifier: resource_limitation/character_limit

Options

  • threshold : Maximum characters before raising an alert (-1 = infinite)

Examples

Ignore this check

checks:
  resource_limitation/character_limit:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
  • CVSS_SCORE: 4.9

References