Skip to content

Field Duplication

Description

Some GraphQL engines allow to send multiple times the exact same field in a single query. This behaviour does not have any practical applications for developers. However, an attacker can leverage this feature to perform a DoS attack by sending a large number of duplicated fields in a single query. This can lead to a high CPU and memory usage on the server side, and can cause the server to become unresponsive.

Remediation

To remediate Field Duplication, ensure that your application's logic or database schema prevents the creation of duplicate entries. Implement checks to verify the uniqueness of fields that are required to be unique before inserting or updating records. Use database constraints like UNIQUE indexes to enforce uniqueness at the database level. Additionally, consider implementing application-level validation to provide user-friendly error messages when a duplication attempt is made. Regularly review your data to identify and resolve any existing duplicates.

GraphQL Specific

Apollo To address field duplication in the Apollo framework engine, ensure that your GraphQL schema is designed with reusable fragments and interfaces to minimize redundancy. Utilize the DRY (Don't Repeat Yourself) principle by creating shared field definitions that can be included in multiple types or queries. Additionally, leverage Apollo's caching mechanisms to prevent unnecessary data fetching and reduce the likelihood of duplicating fields across different parts of your application.
Yoga To address the issue of field duplication in the Yoga framework engine, ensure that your data models are properly designed to avoid redundancy. Utilize inheritance or composition to share fields between related models, and consider implementing a data normalization process. Additionally, review your database schema and object-relational mapping configurations to prevent unnecessary duplication of fields across your data storage and application layers. Regularly refactor your codebase to maintain clean and DRY (Don't Repeat Yourself) principles.
Awsappsync To address field duplication issues in AWS AppSync, ensure that your GraphQL schema is designed with reusable fragments and interfaces to minimize redundancy. Utilize schema directives to enforce field uniqueness and consider implementing resolver mapping templates that abstract repetitive logic. Regularly review and refactor your schema to consolidate fields and types that serve similar purposes.
Graphqlgo To prevent field duplication in the GraphQL Go framework engine, ensure that your schema design is normalized to avoid redundant fields. Utilize GraphQL fragments to share common fields between queries, and leverage tools such as 'graphql-go-tools' or 'gqlgen' to detect and warn about duplicate fields during development. Additionally, consider implementing a custom validation rule that checks for field duplication within incoming queries and rejects those that do not adhere to the schema's best practices.
Graphqlruby To prevent field duplication in GraphQL Ruby, ensure that your queries are structured to avoid repetitive field requests. Utilize fragments to share fields between different queries and mutations, and consider implementing a query complexity analysis tool to detect and mitigate duplication issues. Additionally, leverage the GraphQL::Analysis::AST module to analyze query structures at runtime and provide feedback or restrictions on field duplication.
Hasura To avoid field duplication in Hasura, ensure that your GraphQL queries are structured efficiently. Refactor your queries to use fragments for shared fields between different query parts or leverage Hasura's support for named operations to reuse the same query with different variables. Additionally, consider using aliases to differentiate between fields when necessary. This will help maintain clean and optimized data fetching operations.
Agoo Implement query depth and complexity limits
Ariadne Implement query depth and complexity analysis to limit duplicated fields in Ariadne GraphQL queries
Caliban Implement query validation to limit duplicated fields in Caliban framework queries.
Dgraph Implement query validation to limit duplicated fields in GraphQL queries to prevent potential DoS attacks.
Dianajl Implement query depth and complexity analysis to limit duplicated fields in GraphQL queries
Directus Implement query complexity analysis to limit duplicated fields in Directus queries
Flutter Implement query validation to detect and reject GraphQL queries with duplicated fields.
Graphene Implement query complexity analysis and depth limiting in the Graphene framework to prevent excessive field duplication.
Graphqlapiforwp Implement query complexity analysis to limit duplicated fields in GraphQL queries
Graphqlgophergo Implement query complexity analysis and limit the number of duplicated fields in GraphQL queries to prevent potential DoS attacks.
Graphqljava Implement query validation to limit duplicated fields in GraphQL queries
Graphqlphp Implement query validation to limit duplicated fields in graphqlphp framework
Graphqlyoga Implement query complexity analysis and depth limiting to prevent excessive field duplication in GraphQL Yoga.
Hypergraphql Implement query depth and complexity analysis to limit duplicated fields
Jaal Implement query validation to detect and reject queries with duplicated fields in the Jaal framework.
Juniper Implement query validation to detect and reject queries with duplicated fields in the Juniper framework.
Lacinia Implement query complexity analysis to limit duplicated fields in Lacinia queries
Lighthouse Implement query complexity analysis to limit duplicated fields
Mercurius Implement query depth and complexity limiting in Mercurius to prevent excessive field duplication.
Morpheusgraphql Implement query validation to detect and reject queries with duplicated fields in MorpheusGraphQL.
Qglgen Implement query depth and complexity analysis to limit duplicated fields in gqlgen queries.
Sangria Implement query complexity analysis to limit duplicated fields in Sangria.
Shopify Implement query complexity analysis to limit duplicated fields in GraphQL queries
Stepzen Implement query validation to limit duplicated fields in GraphQL queries
Strawberry Implement query complexity analysis to limit duplicated fields
Tartiflette Implement query complexity analysis to limit duplicated fields in Tartiflette.
Wpgraphql Implement query depth and complexity analysis to limit duplicated fields

Configuration

Identifier: resource_limitation/graphql_field_duplication

Examples

Ignore this check

checks:
  resource_limitation/graphql_field_duplication:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API4:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.12.6
  • nist: SP800-207
  • fedramp: SI-7

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H