Batch Limit¶

Description¶

Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently. However, an attacker can leverage this feature to evade many security measures, including rate limiting.

Remediation¶

Disable or limit queries batching in your GraphQL engine.

GraphQL Specific¶

Apollo

To address potential issues within the Apollo framework engine, ensure that all dependencies are up-to-date, utilize the built-in security features such as schema validation and rate limiting, and follow best practices for error handling and logging. Regularly review the Apollo documentation for any updates on security advisories and recommended practices.

Yoga

For the Yoga framework engine, ensure that all user inputs are properly sanitized to prevent injection attacks. Implement input validation checks to restrict the type and format of data that can be entered. Regularly update the framework and its dependencies to patch any known vulnerabilities. Additionally, consider using security middleware that can help protect against common web threats. Always follow best practices for security within the Yoga framework environment.

Awsappsync

To address potential issues with the AWS AppSync framework engine, ensure that you implement batch limits to prevent overloading the system. This can be achieved by setting appropriate limits on the number of records processed in a single batch request. Additionally, monitor the performance and adjust the batch sizes as necessary to optimize throughput while maintaining system stability.

Graphqlgo

To mitigate the risk of injection attacks in the GraphQL Go framework, ensure that all user-supplied inputs are validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive information through error messages. Regularly review and update your security practices to address new and emerging threats.

Graphqlruby

In the GraphQL Ruby framework, ensure that you implement batch loading to avoid the N+1 query problem. Utilize the `batch-loader` gem or the built-in `GraphQL::Batch` mechanism to efficiently load associated records in a single query. This will help in reducing the number of database hits and improve the performance of your GraphQL API. Additionally, set a limit on the maximum query depth and complexity to prevent overly complex queries from overloading the server. Use the `max_depth` and `max_complexity` settings provided by the framework to enforce these limits.

Hasura

To prevent potential performance issues with the Hasura framework engine, it is recommended to implement a batch limit on queries. This can be achieved by setting a maximum number of rows that can be fetched or mutated in a single request. You can configure this limit in the Hasura console under the 'Settings' tab, or by using the `HASURA_GRAPHQL_BATCH_SIZE` environment variable. By enforcing a batch limit, you ensure that the system remains responsive and stable, even when handling large datasets or complex queries.

Agoo

Implement strict query validation and limit the number of queries per batch to prevent abuse in the Agoo framework.

Ariadne

Implement query batching limits and validation in the Ariadne framework to prevent abuse by restricting the number of queries per batch and ensuring each query is authorized and safe.

Caliban

Implement query batching limits and monitoring in the Caliban framework to prevent abuse. Set a maximum number of queries per batch and monitor for unusual patterns to mitigate potential security risks.

Dgraph

Implement query batching limits and monitoring in Dgraph to prevent abuse and ensure security measures like rate limiting are effective.

Dianajl

Implement strict query batching limits and monitoring in the Dianajl framework engine to prevent abuse and ensure security measures like rate limiting are not bypassed.

Directus

Implement query batching limits and monitoring in Directus to prevent abuse of the batching feature, ensuring that security measures like rate limiting remain effective.

Flutter

Implement request validation and rate limiting for batched queries in the Flutter framework to prevent abuse and ensure secure handling of multiple queries in a single request.

Graphene

Implement query batching limits in the Graphene framework to prevent abuse by setting a maximum number of queries per batch request, ensuring efficient use while maintaining security measures.

Graphqlapiforwp

Implement query batching limits and monitoring in the GraphQL API for WP framework to prevent abuse and ensure security measures like rate limiting are effective.

Graphqlgophergo

Implement query depth and complexity analysis to limit the impact of batched queries in the GraphQLGopherGo framework.

Graphqljava

Implement query depth and complexity analysis to limit the impact of batched queries in GraphQL Java, ensuring that each request is evaluated for potential abuse and adheres to predefined thresholds.

Graphqlphp

Implement query complexity analysis and depth limiting to prevent abuse of query batching in the graphqlphp framework.

Graphqlyoga

Implement query batching limits and monitoring in the GraphQL Yoga framework to prevent abuse and ensure security measures like rate limiting are effective.

Hypergraphql

Implement query depth and complexity analysis to limit the potential impact of batched queries in the HyperGraphQL framework.

Jaal

Implement strict query validation and limit the number of queries per batch to prevent abuse in the Jaal framework.

Juniper

Implement query batching limits to prevent abuse by setting a maximum number of queries per batch request in the Juniper framework engine.

Lacinia

Implement query batching limits and monitoring in the Lacinia framework to prevent abuse and ensure security measures like rate limiting are effective.

Lighthouse

Implement request validation and rate limiting for batched queries to prevent abuse and ensure secure handling of multiple queries in a single request.

Mercurius

Implement query batching limits and validation in the Mercurius framework to prevent abuse by restricting the number of queries per batch and ensuring each query is authorized and validated independently.

Morpheusgraphql

Implement query batching limits in MorpheusGraphQL to prevent abuse by setting a maximum number of queries per batch and monitoring for unusual activity.

Qglgen

Implement query batching limits in gqlgen to prevent abuse by setting a maximum number of queries per batch request and monitoring for unusual activity.

Sangria

Implement query depth and complexity analysis in Sangria to limit the impact of batch queries and prevent abuse by attackers.

Shopify

Implement strict query batching limits and monitoring in the Shopify framework to prevent abuse of the batching feature, ensuring that security measures like rate limiting remain effective.

Stepzen

Implement query batching limits and monitoring in StepZen to prevent abuse by setting a maximum number of queries per batch and tracking usage patterns to detect anomalies.

Strawberry

Implement query complexity analysis and depth limiting in the Strawberry framework to prevent abuse of the batching feature by attackers, ensuring that security measures like rate limiting remain effective.

Tartiflette

Implement query batching limits in Tartiflette to prevent abuse by setting a maximum number of queries per batch request, ensuring efficient use while maintaining security measures.

Wpgraphql

Implement query batching limits in WPGraphQL to prevent abuse by setting a maximum number of queries per batch request and monitoring for unusual activity.

Configuration¶

Identifier: resource_limitation/graphql_batch_limit

Options¶

threshold : Maximum number of batched documents allowed to be sent

Examples¶

Ignore this check¶

checks:
  resource_limitation/graphql_batch_limit:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API8:2023
OWASP LLM: LLM04:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-2

Classification¶

CWE: 770

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
CVSS_SCORE: 4.9

References¶

https://lab.wallarm.com/graphql-batching-attack/