Alias limit¶

Description¶

GraphQL supports the aliasing of multiple sub-queries into a single query. It allows requesting multiple instances of objects efficiently and without conflicts.

However, attackers can leverage this feature to bypass many security measures, including rate limiting.

Remediation¶

Limit query aliasing in your GraphQL Engine to prevent aliasing-based attacks.

GraphQL Specific¶

Apollo

To address potential issues within the Apollo framework engine, ensure that you are following best practices for GraphQL server implementations. This includes validating and sanitizing user inputs, implementing proper error handling, and using query complexity analysis to prevent resource exhaustion. Additionally, keep the Apollo server and all dependencies up to date to mitigate known vulnerabilities.

Yoga

To address issues within the Yoga framework engine, ensure that you are using the latest stable version of the framework. Regularly update your dependencies to incorporate security patches and bug fixes. Additionally, review the framework's documentation for best practices on security and performance, and adhere to recommended guidelines for safe and efficient use of the Yoga engine.

Awsappsync

To address the alias limit in AWS AppSync, ensure that your GraphQL queries are structured efficiently. Refactor your queries to reduce the number of aliases used, and consider leveraging pagination to handle large datasets. Additionally, review your schema to optimize the use of nested queries and avoid unnecessary aliasing of fields. If you are reaching the limit due to batch operations, try to break down the operations into smaller batches. For complex data requirements, consider implementing a custom resolver that can handle data aggregation and batching more effectively.

Graphqlgo

To mitigate potential risks associated with the alias limit in a GraphQL Go framework engine, it is recommended to implement a query complexity analysis mechanism. This mechanism should calculate the cost of each query based on factors such as depth, breadth, and requested field complexity. Set a maximum allowed cost for queries and block or reject those that exceed this limit. Additionally, consider using a library or tool that provides this functionality out-of-the-box to streamline the implementation process.

Graphqlruby

In the GraphQL Ruby framework, to prevent potential performance issues or denial-of-service attacks through overly complex queries, it is recommended to implement an alias limit. This can be achieved by configuring a query analyzer that checks for the number of aliases used in a query and enforces a maximum limit. If the number of aliases exceeds the permitted threshold, the query should be rejected. This helps to ensure that clients cannot craft queries that create an excessive load on the server by using multiple aliases to duplicate fields excessively.

Hasura

To mitigate the risk of reaching the alias limit in Hasura, consider restructuring your GraphQL queries to reduce the number of nested fields. If you have control over the GraphQL schema, try to flatten the structure where possible. Additionally, you can increase the alias limit by setting the `HASURA_GRAPHQL_MAX_ALIAS_COUNT` environment variable to a higher value, but do so with caution as it may affect performance. For complex data requirements, look into implementing custom business logic on the server side that can pre-aggregate data, thus reducing the need for deeply nested queries on the client side.

Agoo

Implement a server-side limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure efficient resource usage.

Ariadne

Implement a server-side alias limit in the Ariadne framework to restrict the number of aliases allowed in a single GraphQL query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Caliban

Implement a server-side alias limit in the Caliban framework to restrict the number of aliases allowed in a single GraphQL query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Dgraph

Implement alias usage limits and monitoring in Dgraph to prevent abuse of GraphQL aliasing, ensuring that rate limiting and security measures remain effective.

Dianajl

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security measures like rate limiting are effective.

Directus

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security within the Directus framework.

Flutter

Implement query complexity analysis and depth limiting in your GraphQL server to prevent abuse of aliasing, and ensure that your Flutter application handles server responses securely by validating and sanitizing data before use.

Graphene

Implement a server-side alias limit in the Graphene framework to restrict the number of aliases allowed per query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Graphqlapiforwp

Implement a limit on the number of aliases allowed per query to prevent abuse and ensure efficient resource usage.

Graphqlgophergo

Implement a limit on the number of aliases allowed per query in the GraphQLGopherGo framework to prevent abuse and ensure security measures like rate limiting are effective.

Graphqljava

Implement a server-side alias limit in the graphql-java framework to restrict the number of aliases allowed per query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Graphqlphp

Implement a server-side validation mechanism to limit the number of aliases allowed in a single GraphQL query to prevent abuse and ensure compliance with rate limiting policies.

Graphqlyoga

Implement a limit on the number of aliases allowed per query in the GraphQL Yoga framework to prevent abuse and ensure security measures like rate limiting are effective.

Hypergraphql

Implement a server-side alias limit to restrict the number of aliases allowed in a single query, ensuring that it aligns with your application's security and performance requirements.

Jaal

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security measures like rate limiting are effective.

Juniper

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security measures like rate limiting are effective.

Lacinia

Implement a server-side alias limit in the Lacinia framework to restrict the number of aliases allowed in a single query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Lighthouse

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security measures like rate limiting are effective.

Mercurius

Implement a query depth and alias limit in the Mercurius framework to prevent abuse of GraphQL aliasing, ensuring that queries do not exceed a reasonable depth or number of aliases to maintain security and performance.

Morpheusgraphql

Implement a strict alias limit in the MorpheusGraphQL framework engine to prevent abuse of the aliasing feature, ensuring that the number of aliases in a single query is restricted to a safe threshold.

Qglgen

Implement a server-side alias limit in the gqlgen framework to restrict the number of aliases allowed per query, thereby preventing abuse and ensuring compliance with security measures such as rate limiting.

Sangria

Implement a query complexity analysis in the Sangria framework to limit the number of aliases and ensure efficient resource usage, preventing abuse of the aliasing feature.

Shopify

Implement a server-side alias limit in the Shopify framework to restrict the number of aliases allowed in a single GraphQL query, thereby preventing abuse and ensuring security measures like rate limiting remain effective.

Stepzen

Implement a limit on the number of aliases allowed in a single GraphQL query within the StepZen framework to prevent abuse and ensure security measures like rate limiting are effective.

Strawberry

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure efficient resource usage.

Tartiflette

Implement a query complexity analysis in the Tartiflette engine to limit the number of aliases and ensure that the overall query cost remains within acceptable limits, thereby preventing abuse of the aliasing feature.

Wpgraphql

Implement a limit on the number of aliases allowed in a single GraphQL query to prevent abuse and ensure security measures like rate limiting remain effective.

Configuration¶

Identifier: resource_limitation/graphql_alias_limit

Options¶

threshold : Maximum aliases before raising an alert (-1 = infinite).

Examples¶

Ignore this check¶

checks:
  resource_limitation/graphql_alias_limit:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API5:2023
OWASP LLM: LLM04:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: AC-2

Classification¶

CWE: 770

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

References¶

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL