Width limit¶

Description¶

GraphQL defines the maximum width of a query as the maximum number of subfields queried from one field.

If no limit is set on query width, clients may therefore craft a complex query that could lead to potential DoS attacks or information leakage.

Remediation¶

Set a threshold on the maximum number of subfields that can be queried simultaneously.

GraphQL Specific¶

Apollo

To address issues with the Apollo framework engine, ensure that you are using the latest stable version of the framework. Update your dependencies and check for any deprecated features that may need to be replaced. Additionally, review the Apollo documentation for best practices on schema design, query optimization, and error handling to improve the performance and reliability of your GraphQL API.

Yoga

To address issues within the Yoga framework engine, ensure that all components adhere to the specified width limits. This can be achieved by setting appropriate constraints within your CSS or inline styles. For instance, use 'max-width' property to prevent elements from stretching beyond the desired width. Additionally, consider utilizing responsive design techniques to maintain layout integrity across different screen sizes. Regularly test your application on various devices to confirm that width restrictions are properly enforced.

Awsappsync

To address the width limit in AWS AppSync, ensure that your schema design is optimized for the queries you intend to run. Break down large queries into smaller, more manageable ones and consider implementing pagination to handle large datasets. Additionally, leverage AWS AppSync's built-in caching mechanisms to improve performance and reduce the data retrieval load. Monitor and adjust the response size limits as per your application's requirements.

Graphqlgo

To mitigate potential security risks in the GraphQL Go framework engine, ensure that you implement a width limit for your queries. This can be achieved by setting a maximum depth for each query to prevent excessively nested queries that could lead to performance issues or denial of service attacks. Use middleware or a query complexity analysis tool to enforce these limits and protect your GraphQL service.

Graphqlruby

In the GraphQL Ruby framework, ensure that you define a width limit for your queries to prevent overly complex queries that can lead to performance issues. Implement query complexity analysis to assign costs to different fields and types, and set a maximum query cost that can be executed. This can be done using the `max_complexity` method in your schema definition. Additionally, consider using the `throttle` gem to rate-limit queries based on their complexity and the time frame in which they are executed.

Hasura

To address potential performance issues with the Hasura framework engine, ensure that you are using appropriate field-level permissions to limit the width of the data being fetched. This can be done by setting strict permissions on the GraphQL types and fields in your Hasura schema. Additionally, consider implementing query depth limiting and cost analysis to prevent overly complex queries from overloading the system. By managing the data returned through permissions and query analysis, you can optimize the performance and security of your Hasura engine.

Agoo

Set a maximum width limit for GraphQL queries in the Agoo framework to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Ariadne

Set a maximum width limit on GraphQL queries in the Ariadne framework to prevent excessive subfield requests, reducing the risk of DoS attacks and information leakage.

Caliban

Set a maximum query width in the Caliban framework to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Dgraph

Set a maximum width limit on GraphQL queries in Dgraph to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Dianajl

Set a maximum width limit on GraphQL queries in the DianaJL framework engine to prevent complex queries that could lead to DoS attacks or information leakage.

Directus

Set a maximum width limit for GraphQL queries in Directus to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Flutter

Implement input validation and sanitization to prevent injection attacks in the Flutter framework engine.

Graphene

Set a maximum query width in the Graphene framework to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Graphqlapiforwp

Set a maximum width limit on GraphQL queries in the graphqlapiforwp framework to prevent overly complex queries that could lead to DoS attacks or information leakage.

Graphqlgophergo

Set a maximum width limit on GraphQL queries in the graphqlgophergo framework to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Graphqljava

Set a maximum query width in the GraphQL Java framework to prevent excessive subfield queries, mitigating risks of DoS attacks and information leakage.

Graphqlphp

Set a maximum width limit for queries in the graphqlphp framework to prevent overly complex queries that could lead to DoS attacks or information leakage.

Graphqlyoga

Set a maximum query width in the GraphQL Yoga framework to prevent overly complex queries that could lead to DoS attacks or information leakage.

Hypergraphql

Set a maximum width limit for queries in the HyperGraphQL framework to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Jaal

Set a maximum width limit on GraphQL queries in the Jaal framework to prevent complex queries that could lead to DoS attacks or information leakage by restricting the number of subfields queried from a single field.

Juniper

Set a maximum width limit on GraphQL queries in the Juniper framework to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Lacinia

Set a maximum width limit for queries in the Lacinia framework to prevent excessive subfield requests, reducing the risk of DoS attacks and information leakage.

Lighthouse

Set a maximum width limit on GraphQL queries to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Mercurius

Set a maximum query width in Mercurius to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Morpheusgraphql

Set a maximum width limit for queries in MorpheusGraphQL to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Qglgen

Set a maximum width limit for queries in gqlgen to prevent excessive subfield requests, reducing the risk of DoS attacks and information leakage.

Sangria

Set a maximum query width in the Sangria framework to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Shopify

Set a maximum width limit on GraphQL queries in the Shopify framework to prevent complex queries that could lead to DoS attacks or information leakage.

Stepzen

Set a maximum width limit for GraphQL queries in the StepZen framework to prevent overly complex queries that could lead to DoS attacks or information leakage.

Strawberry

Set a maximum width limit on GraphQL queries in the Strawberry framework to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Tartiflette

Set a maximum width limit for queries in the Tartiflette framework to prevent excessive subfield requests, mitigating the risk of DoS attacks and information leakage.

Wpgraphql

Set a maximum width limit on GraphQL queries in the WPGraphQL framework to prevent excessive subfield requests, mitigating risks of DoS attacks and information leakage.

Configuration¶

Identifier: resource_limitation/graphql_width_limit

Options¶

threshold : Maximum width before raising an alert (-1 = infinite).

Examples¶

Ignore this check¶

checks:
  resource_limitation/graphql_width_limit:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API4:2023
OWASP LLM: LLM04:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-94
iso27001: A.14.2
nist: SP800-53
fedramp: SC-5

Classification¶

CWE: 770

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

References¶

https://www.apollographql.com/blog/graphql/security/securing-your-graphql-api-from-malicious-queries/