Depth limit¶

Description¶

GraphQL does not limit how deep a query can be.

Since GraphQL schemas are often cyclic graphs, a deeply nested query can potentially lead to DoS attacks or information leakage.

Remediation¶

Secure your application by preventing clients from abusing query depth.

To do so, add a Maximum Query Depth limit based on your knowledge of the schema and how deep you believe a legitimate query could go.

By analyzing the query document's abstract syntax tree (AST), a GraphQL server is able to reject or accept a request based on its depth.

Depth alone is often not enough to cover all abusive queries. For example, a query requesting an enormous amount of nodes on the root will be very expensive but unlikely to be blocked by a query depth analyzer.

GraphQL Specific¶

Apollo

For the Apollo framework engine, ensure that you are implementing depth limiting to prevent overly complex queries from overloading the server. This can be achieved by using a validation rule that checks the depth of each query and rejects those that exceed a certain threshold. Libraries such as `graphql-depth-limit` can be used to easily set up depth limiting in your Apollo server configuration.

Yoga

Ensure that the Yoga framework engine is updated to the latest version to mitigate any known vulnerabilities. Regularly review and apply security patches as they become available. Additionally, implement proper input validation to prevent injection attacks and configure the engine with secure defaults to minimize the risk of misconfiguration. Always follow best practices for authentication and authorization to protect sensitive data and resources.

Awsappsync

To prevent issues with depth limits in AWS AppSync, it is recommended to define and enforce depth limiting on your GraphQL operations. This can be achieved by setting a maximum depth for queries in the AWS AppSync settings. Additionally, consider implementing cost analysis to ensure that queries do not exceed complexity that can impact performance. By using these strategies, you can protect your API against overly complex queries that could lead to performance degradation or abuse.

Graphqlgo

To mitigate potential security vulnerabilities in the GraphQL Go framework engine, it is recommended to implement depth limiting on queries. Depth limiting restricts the complexity of the queries that can be executed by setting a maximum depth for each query. This prevents malicious users from crafting deeply nested queries that could potentially lead to performance issues or denial of service. To enforce depth limits, you can use middleware or custom logic that analyzes the query's abstract syntax tree (AST) before execution and rejects queries that exceed the specified depth threshold.

Graphqlruby

In the GraphQL Ruby framework, to mitigate the risk of overly complex queries that can lead to performance issues or denial of service, implement a depth limit for queries. You can use the `max_depth` option in your schema definition to enforce a maximum depth for incoming queries. This will ensure that users cannot submit queries that exceed a certain level of nested fields, which can protect your application from unnecessary load and potential abuse. Additionally, consider using the graphql-depth_limit gem for more advanced depth limiting features.

Hasura

To mitigate potential security risks in the Hasura framework engine, ensure that all GraphQL queries are validated against a strict schema and implement role-based access controls (RBAC) to limit permissions based on user roles. Additionally, use prepared statements or parameterized queries to prevent injection attacks, and regularly update the Hasura engine to the latest version to benefit from security patches and improvements.

Agoo

Implement a query depth limit in the Agoo framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Ariadne

Implement a query depth limit in the Ariadne framework by using middleware to restrict the maximum depth of GraphQL queries, preventing excessively deep queries that could lead to performance issues or security vulnerabilities.

Caliban

Implement a query depth limit in the Caliban framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Dgraph

Implement a query depth limit in the Dgraph framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Dianajl

Implement a query depth limit in the dianajl framework engine to prevent excessively deep queries, which can mitigate the risk of DoS attacks and information leakage.

Directus

Implement a query depth limit in Directus to prevent excessively deep queries that could lead to performance issues or data exposure.

Flutter

Implement a query depth limit in the GraphQL server to prevent excessively deep queries that can lead to performance issues or potential DoS attacks.

Graphene

Implement a query depth limit using middleware in the Graphene framework to prevent excessively deep queries and mitigate potential DoS attacks.

Graphqlapiforwp

Implement a query depth limit in the graphqlapiforwp framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Graphqlgophergo

Implement a query depth limit in the GraphQLGopherGo framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Graphqljava

Implement a query depth limit using graphql-java's instrumentation feature to prevent excessively deep queries and protect against potential DoS attacks.

Graphqlphp

Implement a query depth limit using the 'GraphQL\\Validator\\Rules\\QueryDepth' rule in the graphql-php framework to prevent excessively deep queries and mitigate potential DoS attacks.

Graphqlyoga

Implement a depth limit rule in the GraphQL Yoga server to restrict the maximum depth of queries, preventing overly complex queries that could lead to performance issues or DoS attacks.

Hypergraphql

Implement a query depth limit in the HyperGraphQL engine to prevent excessively deep queries that could lead to performance issues or data exposure.

Jaal

Implement a depth limit in the Jaal framework engine to restrict how deep a GraphQL query can go, preventing potential DoS attacks and information leakage.

Juniper

Implement a query depth limit in the Juniper framework to prevent excessively deep queries, which can mitigate the risk of DoS attacks and information leakage.

Lacinia

Implement a query depth limit in the Lacinia framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Lighthouse

Implement a depth limit on GraphQL queries to prevent excessively deep queries that can lead to performance issues or potential DoS attacks.

Mercurius

Implement a depth limit in the Mercurius framework by using the 'depthLimit' plugin to restrict the maximum depth of GraphQL queries, preventing potential DoS attacks and information leakage.

Morpheusgraphql

Implement a query depth limit in the MorpheusGraphQL framework to prevent excessively deep queries, which can mitigate the risk of DoS attacks and information leakage.

Qglgen

Implement a query depth limit in gqlgen by using middleware to restrict the maximum depth of queries, preventing excessively deep queries that could lead to performance issues or security vulnerabilities.

Sangria

Implement a query depth limit using Sangria's `QueryReducer` to prevent excessively deep queries and mitigate potential DoS attacks.

Shopify

Implement a query depth limit in your Shopify GraphQL API to prevent excessively deep queries, which can help mitigate potential DoS attacks and reduce the risk of information leakage.

Stepzen

Implement a depth limit in the StepZen framework to restrict the maximum depth of GraphQL queries, preventing excessive nesting and mitigating the risk of DoS attacks or information leakage.

Strawberry

Implement a query depth limit in the Strawberry framework to prevent excessively deep queries that could lead to DoS attacks or information leakage.

Tartiflette

Implement a query depth limit in the Tartiflette engine to prevent excessively deep queries that could lead to performance issues or security vulnerabilities.

Wpgraphql

Implement a query depth limit in the wpgraphql framework to prevent excessively deep queries that could lead to performance issues or security vulnerabilities.

Configuration¶

Identifier: resource_limitation/graphql_depth_limit

Options¶

threshold : Maximum depth before raising an alert (-1 = infinite).

Examples¶

Ignore this check¶

checks:
  resource_limitation/graphql_depth_limit:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API4:2023
OWASP LLM: LLM04:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SC-5

Classification¶

CWE: 400

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

References¶

https://www.howtographql.com/advanced/4-security/