Skip to content

Permissive JSON Input

Description

Inputable JSON scalars are an arbitrary scalar type that allow users to return JSON objects from the schema. It is a weak typing bad practice and may represent an unhandled data leak risk for your application.

Remediation

When possible, use typed input objects instead.

GraphQL Specific

Apollo Ensure strong typing in JSON schemas and validate the types of all inputs rigorously to prevent type-related security issues. In the Apollo framework, use resolvers to enforce the correct types and consider implementing additional middleware for input validation.
Yoga Ensure strong typing in JSON parsing within the Yoga framework engine by explicitly defining and validating the types of all data fields. Avoid relying on implicit or weak typing to prevent type-related security vulnerabilities.
Awsappsync Ensure strong typing in your schema definitions and resolvers to prevent type coercion vulnerabilities. Explicitly define types for all fields in your GraphQL schema and avoid using generic types like 'JSON' or 'AWSJSON' unless absolutely necessary. When using resolvers, validate the input types and enforce strict type checking before processing the data within your AWS AppSync functions.
Graphqlgo Ensure strong typing in GraphQL schema definitions and validate incoming JSON requests against the schema to prevent type-related issues. Avoid implicit type coercion by explicitly defining scalar types and using custom scalar types if necessary to handle complex data structures or validation requirements.
Graphqlruby In the GraphQL Ruby framework, ensure that you define your types explicitly and handle the parsing of input values carefully. Use the built-in scalar types provided by GraphQL Ruby, such as Int, Float, Boolean, and ID, to enforce strict typing. Avoid using generic types like JSON or String for complex inputs when possible. If you must accept JSON inputs, parse and validate them thoroughly on the server side before processing to prevent type-related security vulnerabilities. Additionally, consider implementing custom scalar types with validation logic to enforce the correct structure and data types of the input.
Hasura Ensure strict type checking in Hasura by using explicit casting or type annotations in your GraphQL queries and mutations to prevent weak typing issues. Additionally, validate the JSON inputs against predefined schemas to enforce the correct types.
Agoo Ensure strict input validation and type checking in the Agoo framework to prevent weak typing and potential data leaks.
Ariadne In the Ariadne framework, ensure that your GraphQL schema is strictly typed to prevent permissive JSON input. Avoid using arbitrary scalar types for JSON objects. Instead, define specific input types and validate them rigorously to mitigate the risk of unhandled data leaks.
Caliban Ensure strict type validation in Caliban by defining precise GraphQL schemas and avoid using arbitrary JSON scalars to prevent potential data leaks.
Dgraph Ensure strict type validation in Dgraph by defining precise schema types and avoid using arbitrary JSON scalars to prevent potential data leaks.
Dianajl In the DianaJL framework engine, ensure that JSON inputs are strictly validated and typed to prevent weak typing issues. Avoid using arbitrary scalar types for JSON objects to mitigate the risk of data leaks. Implement strong input validation and consider using parameterized queries to enhance security.
Directus Ensure strict data validation and type enforcement in Directus by defining precise field types and using validation rules to prevent arbitrary JSON input, reducing the risk of data leaks and maintaining data integrity.
Flutter Ensure strict typing and validation of JSON inputs in Flutter applications to prevent data leaks and maintain data integrity.
Graphene In the Graphene framework, ensure that your schema strictly defines the expected types for all inputs and outputs. Avoid using overly permissive scalar types for JSON inputs to prevent potential data leaks and maintain strong typing practices.
Graphqlapiforwp Ensure strict type definitions in your GraphQL schema to prevent arbitrary JSON scalars. Validate and sanitize all inputs to mitigate potential data leaks and enhance security in the graphqlapiforwp framework engine.
Graphqlgophergo Ensure strict type definitions in your GraphQL schema to prevent arbitrary JSON scalars. Validate and sanitize all inputs to mitigate potential data leaks and enhance security in the graphqlgophergo framework.
Graphqljava Ensure strict type definitions in your GraphQL schema to prevent arbitrary JSON scalars. Validate and sanitize all inputs to mitigate potential data leaks and enforce strong typing practices.
Graphqlphp Ensure strict input validation and type checking in your GraphQL schema to prevent weak typing issues. Avoid using arbitrary scalar types for JSON inputs and instead define specific input types that match your application's data requirements. This helps mitigate the risk of unhandled data leaks and enhances the security of your application.
Graphqlyoga In GraphQL Yoga, ensure that you define strict input types for your queries and mutations to prevent arbitrary JSON scalars. Avoid using overly permissive input types and validate all incoming data to mitigate potential data leaks and maintain strong typing practices.
Hypergraphql Ensure strict type validation in HyperGraphQL by defining precise schema types and avoiding the use of arbitrary scalars to prevent potential data leaks.
Jaal Ensure strict typing and validation of JSON inputs in the Jaal framework to prevent data leaks and maintain data integrity.
Juniper Ensure strict JSON schema validation in Juniper to prevent weak typing and potential data leaks.
Lacinia In the Lacinia framework, ensure that your schema strictly defines the expected types for all inputs and outputs. Avoid using arbitrary scalar types for JSON inputs to prevent weak typing and potential data leaks. Instead, validate and sanitize all JSON data before processing to maintain strong typing and enhance security.
Lighthouse Ensure strict typing and validation of JSON inputs in the Lighthouse framework to prevent potential data leaks and maintain data integrity.
Mercurius In the Mercurius framework, ensure that JSON inputs are strictly validated and sanitized to prevent weak typing issues. Avoid using arbitrary scalar types for JSON inputs and instead define explicit types in your schema to enhance security and prevent potential data leaks.
Morpheusgraphql Ensure strict type definitions in MorpheusGraphQL to prevent weak typing and potential data leaks. Avoid using arbitrary scalar types for JSON inputs and enforce schema validation to maintain data integrity.
Qglgen In the gqlgen framework, ensure that your GraphQL schema is strongly typed and avoid using arbitrary scalar types for JSON inputs. Instead, define specific input types for your JSON data to prevent unhandled data leaks and maintain type safety.
Sangria In the Sangria framework, ensure that your schema strictly defines the expected types for all inputs and outputs to prevent weak typing issues. Avoid using arbitrary scalars for JSON inputs and outputs, and instead, validate and sanitize all JSON data to mitigate potential data leak risks.
Shopify Ensure strict typing in your Shopify framework by validating JSON inputs and avoiding arbitrary scalar types to prevent potential data leaks.
Stepzen In the StepZen framework, ensure that your GraphQL schema defines specific scalar types instead of using arbitrary JSON scalars. This helps maintain strong typing and prevents potential data leaks. Consider using parameterized queries and input validation to enhance security.
Strawberry Ensure strict type validation in your Strawberry framework schema to prevent weak typing and potential data leaks. Avoid using permissive JSON scalars and instead define precise types for your inputs and outputs.
Tartiflette In the Tartiflette framework, ensure that your schema defines explicit types for all inputs and outputs to avoid using permissive JSON scalars. This practice helps maintain strong typing and reduces the risk of unhandled data leaks. Always validate and sanitize inputs to protect your application from potential vulnerabilities.
Wpgraphql Ensure strict type definitions in your wpgraphql schema to prevent weak typing and potential data leaks. Avoid using arbitrary scalar types for JSON inputs and outputs. Implement input validation and sanitization to enhance security.

Configuration

Identifier: schema/permissive_json_input

Examples

Ignore this check

checks:
  schema/permissive_json_input:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.9
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: SI-10

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:H/RL:O/RC:C