Field limit¶
Description¶
Attackers may craft complex queries by requesting a significant number of fields.
This could lead to potential DoS attacks or information leakage.
Remediation¶
Limit query complexity by using a library specific to your engine.
GraphQL Specific¶
Apollo
To address potential issues with the Apollo framework engine, ensure that all dependencies are up to date, utilize the built-in security features such as schema validation and rate limiting, and follow best practices for error handling and logging. Regularly review the Apollo documentation for any updates on security advisories and recommended practices.Yoga
To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions to benefit from security patches and performance improvements. Regularly review the framework's documentation for best practices on security and efficiency. Additionally, consider implementing a thorough testing strategy that includes unit tests, integration tests, and end-to-end tests to catch potential problems early in the development cycle. Monitor the application's performance and error logs to quickly identify and resolve any issues that may arise.Awsappsync
To address limitations in the AWS AppSync framework, ensure that your GraphQL schema is designed to handle complexity and size within the service's constraints. Optimize resolvers by batching requests and using caching mechanisms to reduce the load on data sources. Implement pagination to manage large datasets and avoid exceeding field limits. Monitor and adjust the performance of your AppSync API with CloudWatch metrics and logs. If necessary, consider splitting your API into multiple smaller, more focused GraphQL endpoints to stay within the field limits and maintain efficient data retrieval.Graphqlgo
To mitigate potential security risks in the GraphQL Go framework engine, ensure that all queries are strictly validated against a schema, implement proper authentication and authorization checks, and use query complexity analysis to prevent denial-of-service attacks. Additionally, consider employing field-level permissions to restrict access to sensitive data and apply rate limiting to control the amount of resources a client can consume.Graphqlruby
In the GraphQL Ruby framework, to prevent potential issues with field limits, it is recommended to implement query complexity analysis to ensure that clients cannot request an excessive amount of data which could lead to performance problems. You can use the built-in analysis features to set a maximum complexity for your queries. Additionally, consider using the `max_depth` method to limit the depth of queries and avoid deeply nested queries that could impact the stability of your application.Hasura
To prevent issues related to field limits in the Hasura framework engine, ensure that you define appropriate permissions and access control lists for your GraphQL schema. Use Hasura's built-in mechanisms to set maximum query depths and complexity scores, which can help in preventing resource exhaustion caused by excessively large or deeply nested queries. Additionally, consider implementing custom business logic in your backend to validate and limit the number of fields that can be queried at once, if necessary. Regularly review your schema and optimize it to handle the expected query loads efficiently.Agoo
Implement field restrictions by limiting the number of fields that can be queried in a single request to prevent potential DoS attacks or information leakage in the Agoo framework engine.Ariadne
Implement field whitelisting to restrict the number of fields that can be queried, ensuring only necessary fields are accessible to prevent potential DoS attacks or information leakage.Caliban
Implement field restrictions and query validation to prevent excessive field requests in Caliban framework.Dgraph
Implement field restrictions and query depth limits in Dgraph to prevent excessive field requests and mitigate potential DoS attacks or information leakage.Dianajl
Implement field restrictions in the Dianajl framework engine to limit the number of fields that can be queried, reducing the risk of DoS attacks and information leakage.Directus
Implement field whitelisting to restrict the number of fields that can be queried, and set limits on query complexity to prevent potential DoS attacks or information leakage in the Directus framework.Flutter
Implement input validation and limit the number of fields in queries to prevent excessive data requests in the Flutter framework engine.Graphene
Implement query complexity analysis and set field selection limits in the Graphene framework to prevent excessive field requests.Graphqlapiforwp
Implement query depth limiting and field selection restrictions in the GraphQL API for WP framework to prevent overly complex queries that could lead to DoS attacks or information leakage.Graphqlgophergo
Implement query depth and complexity analysis to limit the number of fields and nested queries in GraphQL requests.Graphqljava
Implement query depth and complexity analysis to limit the number of fields and nested queries in GraphQL requests.Graphqlphp
Implement query complexity analysis and depth limiting in the graphqlphp framework to prevent excessive field requests and mitigate potential DoS attacks or information leakage.Graphqlyoga
Implement query depth and complexity analysis to limit the number of fields and nested queries in GraphQL Yoga.Hypergraphql
Implement field selection limits and query depth restrictions in the HyperGraphQL framework to prevent excessive field requests and mitigate potential DoS attacks or information leakage.Jaal
Implement field restrictions and query validation to prevent excessive field requests in the Jaal framework engine.Juniper
Implement field restrictions and query validation to prevent excessive field requests in the Juniper framework engine.Lacinia
Implement field selection limits and depth restrictions in Lacinia queries to prevent excessive data retrieval and mitigate potential DoS attacks.Lighthouse
Implement field restrictions to limit the number of fields that can be queried at once, reducing the risk of DoS attacks and information leakage.Mercurius
Implement field selection limits and validation to prevent excessive field requests in queries.Morpheusgraphql
Implement field selection limits and depth restrictions in MorpheusGraphQL to prevent excessive data retrieval and mitigate potential DoS attacks.Qglgen
Implement field selection limits and depth restrictions in gqlgen to prevent excessive data exposure and mitigate potential DoS attacks.Sangria
Implement field whitelisting and limit the number of fields that can be queried in a single request to prevent complex query crafting in the Sangria framework.Shopify
Implement rate limiting and field validation to prevent excessive field requests in Shopify's Liquid templates.Stepzen
Implement field restrictions and query depth limits in the StepZen framework to prevent complex queries that could lead to DoS attacks or information leakage.Strawberry
Implement field whitelisting to restrict the number of fields that can be queried in the Strawberry Framework engine.Tartiflette
Implement field selection limits and depth restrictions in Tartiflette to prevent complex queries that could lead to DoS attacks or information leakage.Wpgraphql
Implement field whitelisting and limit the number of fields that can be queried in a single request to prevent potential DoS attacks or information leakage in the WPGraphQL framework.Configuration¶
Identifier:
resource_limitation/graphql_field_limit
Options¶
- threshold : Maximum fields before raising an alert (-1 = infinite).
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API4:2023
- OWASP LLM: LLM04:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-6
Classification¶
- CWE: 770
Score¶
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1