Skip to content

Cyclic Recursive Query

Description

A circular introspection query has succeeded on the system. This can be exploited to conduct a Denial of Service attack.

By calling several objects that reference each other, an attacker can create a circular reference.

Creating a circular reference will increase the size of the returned document exponentially. The larger your schema is, the bigger the document will be.

This DoS attack is hard to exploit as the size of the query might be limited by a server before reaching your backend.

Remediation

To prevent circular introspection from being abused:

  • Limit the maximum depth of the introspection query.
  • Limit the maximum elapsed time to execute a GraphQL query.
  • Disable your introspection.

GraphQL Specific

Apollo To address the issue of cyclic recursive queries within the Apollo framework engine, it is recommended to implement checks that detect cycles in the query structure. This can be achieved by maintaining a record of visited nodes or resolvers and verifying that a node is not revisited within the same query execution context. Additionally, consider setting a maximum depth for queries and using Apollo's query cost analysis to prevent overly complex queries from being executed. By doing so, you can prevent infinite recursion and ensure the stability and performance of your GraphQL service.
Yoga To address the issue of cyclic recursive queries in the Yoga framework engine, it is recommended to implement checks that detect cycles in the query structure. This can be achieved by maintaining a record of visited nodes or paths and verifying that a new query does not reintroduce a previously visited node. Additionally, setting a maximum depth for recursive queries can prevent infinite recursion. If the framework allows, consider using built-in features or plugins that manage query depth and complexity. Always validate and sanitize user input to prevent malicious queries from exploiting recursive functionalities.
Awsappsync To prevent issues with cyclic recursive queries in AWS AppSync, it is recommended to implement depth limiting in your resolvers. This can be achieved by setting a maximum depth for queries and using a depth counting mechanism to track the resolver's call depth. Additionally, consider using query complexity analysis to assign costs to fields and types, and enforce a maximum query cost. This helps to mitigate the risk of overly complex or malicious queries affecting the performance and stability of your GraphQL API.
Graphqlgo To mitigate the risk of cyclic recursive queries in a GraphQL Go framework engine, implement depth limiting to restrict the complexity of the queries that can be executed. Additionally, consider using query cost analysis techniques to assign costs to different fields and types, and enforce a maximum query cost. This can be complemented with throttling based on the client's request rate to prevent abuse. It's also advisable to use persistent queries to allow only pre-approved query operations. Ensure proper monitoring and logging of query patterns to detect and respond to potential abuse.
Graphqlruby To mitigate the risk of cyclic recursive queries in the GraphQL Ruby framework, implement query depth analysis to limit the complexity of accepted queries. Use the `max_depth` option provided by the framework to define the maximum allowed depth for queries. Additionally, consider employing query cost analysis techniques to assign costs to different fields and types, and set a maximum query cost to prevent overly complex queries from being executed. Regularly review and adjust these limits based on the application's performance and requirements.
Hasura To prevent issues with cyclic recursive queries in Hasura, ensure that you set depth limits for queries in the Hasura console under 'Settings' > 'Limits'. Additionally, use query complexity analysis to assign costs to fields and use these costs to limit the depth and breadth of each query. This helps in avoiding performance bottlenecks and potential denial of service attacks caused by deeply nested queries.
Agoo Implement query depth limiting in the Agoo framework to prevent excessive recursion and mitigate potential Denial of Service attacks.
Ariadne To prevent cyclic recursive queries in the Ariadne framework, implement query depth limiting and disable introspection queries in production environments to mitigate potential Denial of Service attacks.
Caliban Implement query depth limiting in Caliban to prevent excessively deep or circular queries, thereby mitigating potential Denial of Service attacks.
Dgraph Implement query depth limiting and introspection query restrictions to prevent circular references and mitigate potential Denial of Service attacks in the Dgraph framework.
Dianajl Implement query depth limiting and timeout mechanisms in the Dianajl framework engine to prevent circular introspection queries from causing Denial of Service attacks.
Directus Implement query depth limiting and disable introspection queries in production to prevent circular reference exploitation in Directus.
Flutter Implement query depth limiting and complexity analysis in your GraphQL server to prevent circular introspection queries from causing Denial of Service attacks. Additionally, consider disabling introspection queries in production environments to further mitigate this risk.
Graphene To prevent cyclic recursive queries in the Graphene framework, implement query depth limiting and disable introspection queries in production environments to mitigate potential Denial of Service attacks.
Graphqlapiforwp Implement query depth limiting and complexity analysis in the GraphQL API for WP framework to prevent circular introspection queries and mitigate potential Denial of Service attacks.
Graphqlgophergo Implement query depth limiting and complexity analysis in the GraphQLGopherGo framework to prevent circular introspection queries from causing Denial of Service attacks.
Graphqljava Implement query depth limiting and complexity analysis in the GraphQL Java framework to prevent circular introspection queries and mitigate potential Denial of Service attacks.
Graphqlphp Implement query depth limiting and complexity analysis to prevent excessively deep or complex queries that could lead to Denial of Service attacks.
Graphqlyoga Implement query depth limiting and complexity analysis in the GraphQL Yoga framework to prevent circular introspection queries and mitigate potential Denial of Service attacks.
Hypergraphql Implement query depth limiting and introspection query restrictions in the HyperGraphQL framework to prevent circular references and mitigate potential Denial of Service attacks.
Jaal Implement query depth limiting and complexity analysis in the Jaal framework to prevent excessive resource consumption from cyclic recursive queries.
Juniper Implement query depth limiting and timeout settings in the Juniper framework to prevent excessive resource consumption from cyclic recursive queries.
Lacinia Implement query depth limiting in the Lacinia framework to prevent excessively deep or circular queries, thereby mitigating potential Denial of Service attacks.
Lighthouse Implement query depth limiting and complexity analysis to prevent excessive resource consumption from recursive queries.
Mercurius To prevent cyclic recursive queries in Mercurius, implement query depth limiting and complexity analysis to restrict excessively nested queries, and consider disabling introspection in production environments to mitigate potential Denial of Service attacks.
Morpheusgraphql Implement query depth limiting and introspection query restrictions to prevent circular references and mitigate potential Denial of Service attacks in the MorpheusGraphQL framework.
Qglgen To prevent cyclic recursive queries in gqlgen, implement query depth limiting and complexity analysis. This can be achieved by setting a maximum query depth and complexity score in your server configuration, ensuring that overly complex or deep queries are rejected before execution.
Sangria To prevent cyclic recursive queries in the Sangria framework, implement query depth limiting and complexity analysis to restrict excessively nested queries and circular references.
Shopify Implement query depth limiting and complexity analysis to prevent excessive resource consumption from recursive queries in the Shopify framework.
Stepzen To mitigate cyclic recursive queries in StepZen, implement query depth limiting and timeout settings to prevent excessive resource consumption. Additionally, consider disabling introspection queries in production environments to reduce exposure to potential Denial of Service attacks.
Strawberry Implement query depth limiting in the Strawberry framework to prevent excessively deep or circular introspection queries, thereby mitigating potential Denial of Service attacks.
Tartiflette To prevent cyclic recursive queries in Tartiflette, implement query depth limiting and complexity analysis to restrict excessively nested queries. Additionally, disable introspection queries in production environments to minimize exposure to potential Denial of Service attacks.
Wpgraphql Implement query depth limiting and disable introspection queries in production to prevent circular reference exploitation in WPGraphQL.

Configuration

Identifier: resource_limitation/graphql_circular_introspection

Examples

Ignore this check

checks:
  resource_limitation/graphql_circular_introspection:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API8:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-97
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 730

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:R
  • CVSS_SCORE: 4.4