Cyclic query¶
Description¶
GraphQL allows developers to nest queries and objects. Attackers can abuse this feature by calling a deeply nested query similar to a recursive function and causing a Denial of Service by exhausting CPU, memory, or other resources.
Remediation¶
Although the ability to fetch a cyclic query is necessary for some GraphQL applications, it is best to always implement security measures to control these cyclic queries:
- Set query timeouts: restrict the time a query is allowed to run.
- Set a maximum query depth: limit the tolerated depth of queries in order to prevent overly deep queries from abusing resources.
- Set a maximum query complexity: limit the complexity of queries to mitigate the abuse of GraphQL resources.
- Use server-time-based throttling: limit the amount of server time a user can consume.
- Use query-complexity-based throttling: limit the total complexity of queries a user can consume.
GraphQL Specific¶
Apollo
To mitigate potential risks associated with the Apollo framework engine, ensure that all data inputs are properly sanitized and validated. Utilize built-in security features and follow best practices for authentication and authorization. Regularly update the Apollo libraries to their latest versions to benefit from security patches and improvements. Additionally, consider implementing security tools and services that can provide extra layers of protection for your application.Yoga
To address vulnerabilities within the Yoga framework engine, it is recommended to regularly update the framework to the latest version, as updates often include security patches for known issues. Additionally, ensure that all data inputs are properly sanitized to prevent injection attacks, and implement strong access controls to restrict unauthorized access to sensitive components. Regular security audits and code reviews can also help identify and remediate potential security weaknesses in the application.Awsappsync
To ensure the security and performance of your AWS AppSync GraphQL APIs, it is recommended to use parameterized queries to prevent injection attacks and to optimize query execution. Avoid using inline arguments within the queries. Instead, define variables outside of your query and pass them as separate parameters. This approach allows AWS AppSync to prepare the execution plan once and execute it multiple times with different variables, reducing the risk of injection attacks and improving performance.Graphqlgo
To mitigate potential security risks in a GraphQL Go framework engine, it is recommended to use parameterized queries to prevent injection attacks. Additionally, implement proper validation and sanitization of user inputs, enforce strict type checking, and use query depth limiting to avoid denial-of-service attacks caused by overly complex queries. Regularly update dependencies to incorporate security patches.Graphqlruby
In the GraphQL Ruby framework, ensure that all queries are properly sanitized and parameterized to prevent injection attacks. Use the built-in mechanisms for argument handling and avoid interpolating variables directly into query strings. Always validate and sanitize input from users, and consider using the graphql-ruby's authorization features to control access to sensitive data. Regularly update the framework and dependencies to incorporate security fixes.Hasura
To mitigate the risk of SQL injection and ensure the security of your Hasura GraphQL engine, it is crucial to avoid using raw SQL queries with user-provided input. Instead, utilize Hasura's built-in parameterized queries feature. This allows you to define variables in your GraphQL queries, which Hasura will safely interpolate, preventing malicious actors from injecting arbitrary SQL code. Always validate and sanitize user inputs on the server side, even when using GraphQL variables, to further enhance the security of your application.Agoo
Limit the depth of nested queries in the Agoo framework to prevent resource exhaustion and potential Denial of Service attacks.Ariadne
Implement query depth limiting in Ariadne to prevent excessive nesting and resource exhaustion.Caliban
Limit the depth of GraphQL queries in the Caliban framework to prevent resource exhaustion and potential Denial of Service attacks.Dgraph
Limit the depth of nested queries in Dgraph to prevent resource exhaustion and potential Denial of Service attacks.Dianajl
Implement query depth limiting in the Dianajl framework engine to prevent excessive nesting and protect against Denial of Service attacks.Directus
Implement query depth limiting in Directus to prevent deeply nested queries that can lead to resource exhaustion and Denial of Service attacks.Flutter
Implement query depth limiting to prevent excessive nesting in GraphQL queries, thereby protecting against resource exhaustion and potential Denial of Service attacks.Graphene
Implement query depth limiting in the Graphene framework to prevent excessive nesting and protect against resource exhaustion.Graphqlapiforwp
Implement query depth limiting to prevent deeply nested queries that can lead to resource exhaustion.Graphqlgophergo
Implement query depth limiting to prevent deeply nested queries that can lead to resource exhaustion.Graphqljava
Implement query depth limiting and complexity analysis to prevent deeply nested queries in the GraphQL Java framework, thereby mitigating the risk of Denial of Service attacks.Graphqlphp
Implement query depth limiting to prevent deeply nested queries that can lead to resource exhaustion.Graphqlyoga
Implement query depth limiting to prevent deeply nested queries that can lead to resource exhaustion.Hypergraphql
Implement query depth limiting to prevent excessive nesting in GraphQL queries, thereby mitigating the risk of resource exhaustion and Denial of Service attacks.Jaal
Implement query depth limiting to prevent deeply nested queries in the Jaal framework engine, thereby mitigating the risk of resource exhaustion and Denial of Service attacks.Juniper
Implement query depth limiting in the Juniper framework to prevent deeply nested queries that can lead to resource exhaustion.Lacinia
Implement query depth limiting in Lacinia to prevent excessive nesting and resource exhaustion.Lighthouse
Implement query depth limiting to prevent deeply nested queries in GraphQL, thereby mitigating the risk of Denial of Service attacks.Mercurius
Implement query depth limiting in Mercurius to prevent deeply nested queries that can lead to resource exhaustion.Morpheusgraphql
Implement query depth limiting to prevent deeply nested queries that can lead to resource exhaustion in the MorpheusGraphQL framework.Qglgen
Implement query depth limiting in gqlgen to prevent excessive nesting and resource exhaustion.Sangria
Implement query depth limiting in Sangria to prevent excessive nesting and resource exhaustion.Shopify
Implement query depth limiting in the Shopify framework to prevent deeply nested queries that can lead to resource exhaustion and Denial of Service.Stepzen
Implement query depth limiting in the StepZen framework to prevent excessively nested queries, thereby mitigating the risk of resource exhaustion and Denial of Service attacks.Strawberry
Implement query depth limiting in the Strawberry framework to prevent excessive nesting and resource exhaustion.Tartiflette
Implement query depth limiting in Tartiflette to prevent excessive nesting and resource exhaustion.Wpgraphql
Limit query depth and complexity in wpgraphql to prevent resource exhaustion by setting maximum query depth and using query cost analysis.Configuration¶
Identifier:
resource_limitation/cyclic_query
Options¶
- skip_objects : List of object that are to be skipped by the security test.
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API7:2023
- OWASP LLM: LLM04:2023
- pci: 6.5.1
- gdpr: Article-32
- soc2: CC6
- psd2: Article-97
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-4
Classification¶
- CWE: 400
Score¶
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1