Response type mismatch¶

Description¶

This security check verifies that all the data returned in the response matches its expected type, as defined in the introspection.

Remediation¶

Update your resolver to make the introspection type match the actual returned type.

GraphQL Specific¶

Apollo

Ensure that the response type in the Apollo framework engine matches the expected type defined in the GraphQL schema. This can be achieved by validating the resolver functions to return the correct type and by using schema type checks during development to prevent type mismatches.

Yoga

Ensure that the Yoga framework engine is configured to handle the expected response types for each endpoint. Verify that the content types in the requests and responses match, and that the data serialization and deserialization processes align with the specified formats. If necessary, implement custom serializers or parsers to manage content type negotiation and conversion accurately.

Awsappsync

Ensure that the response type in the resolver matches the expected return type defined in the GraphQL schema. If there is a mismatch, update the resolver to correctly handle the data structure and types as per the schema definition.

Graphqlgo

Ensure that the GraphQL schema strictly defines the types for all fields and that the resolver functions correctly handle the types as defined. Implement input validation to verify that the data received matches the expected types before processing the query. Use middleware or schema directives for consistent validation across resolvers.

Graphqlruby

Ensure that the types defined in the GraphQL schema match the expected response types in the Ruby resolver functions. Utilize the GraphQL Ruby framework's type-checking features to enforce the correct data types and structures. Additionally, implement custom type validations if necessary to handle complex data structures or custom business logic.

Hasura

Ensure that the expected response type in the client matches the actual response type provided by the Hasura GraphQL engine. Verify the GraphQL query or mutation structure and types in the schema, and update the client-side parsing logic to correctly handle the data structure returned by Hasura.

Agoo

Ensure that the response data types in the Agoo framework engine match the expected types defined in the introspection to prevent type mismatch vulnerabilities.

Ariadne

Ensure that the response data types in Ariadne match the expected types defined in the GraphQL schema to prevent type mismatches.

Caliban

Ensure that the response types in Caliban match the expected types defined in the GraphQL schema to prevent type mismatches.

Dgraph

Ensure that all response data types in Dgraph queries match the expected types defined in the schema to prevent type mismatches and potential security vulnerabilities.

Dianajl

Ensure that the response data types in the DianaJL framework engine match the expected types as defined in the introspection to prevent type mismatch vulnerabilities.

Directus

Ensure that all API responses in the Directus framework match the expected data types as defined in the schema to prevent type mismatch vulnerabilities.

Flutter

Ensure that all API responses in the Flutter framework are validated against expected data types to prevent type mismatches and potential security vulnerabilities.

Graphene

Ensure that the GraphQL schema in the Graphene framework strictly defines the expected data types for all fields and that the resolver functions return data matching these types to prevent response type mismatches.

Graphqlapiforwp

Ensure that the GraphQL API for WP framework engine enforces strict type validation on all responses to prevent type mismatches and potential security vulnerabilities.

Graphqlgophergo

Ensure that all GraphQL responses in the GopherGo framework strictly adhere to the expected data types as defined in the schema to prevent type mismatches.

Graphqljava

Ensure that the GraphQL schema in the graphql-java framework accurately defines the expected data types for all fields, and validate the response data against these types to prevent type mismatches.

Graphqlphp

Ensure that the GraphQL schema in graphqlphp framework strictly defines the expected types for all fields and that the resolvers return data matching these types to prevent response type mismatches.

Graphqlyoga

Ensure that the GraphQL Yoga server is configured to validate response types against the schema to prevent type mismatches.

Hypergraphql

Ensure that the response data types in HyperGraphQL match the expected types defined in the schema introspection.

Jaal

Ensure that the response data types in the Jaal framework engine match the expected types defined in the introspection to prevent type mismatch vulnerabilities.

Juniper

Ensure that all response data types in the Juniper framework engine match their expected types as defined in the introspection to prevent type mismatch vulnerabilities.

Lacinia

Ensure that the response types in Lacinia match the expected types defined in the schema by using proper type coercion and validation mechanisms.

Lighthouse

Ensure that all response data types align with their expected types as defined in the introspection to prevent type mismatches.

Mercurius

Ensure that the response data types in Mercurius match the expected types defined in the GraphQL schema to prevent type mismatches.

Morpheusgraphql

Ensure that the Morpheus GraphQL framework engine enforces strict type checking on all response data to match the expected types defined in the schema introspection.

Qglgen

Ensure that the response types in gqlgen match the expected types defined in the GraphQL schema to prevent type mismatches.

Sangria

Ensure that the response types in the Sangria GraphQL engine match the expected types defined in the schema to prevent type mismatches and potential security vulnerabilities.

Shopify

Ensure that all API responses in the Shopify framework match the expected data types as defined in the schema to prevent type mismatch vulnerabilities.

Stepzen

Ensure that the response data types in StepZen match the expected types defined in the schema to prevent type mismatches.

Strawberry

Ensure that the response data types in the Strawberry framework engine match the expected types defined in the schema to prevent type mismatches.

Tartiflette

Ensure that the response types in Tartiflette match the expected types defined in the GraphQL schema to prevent type mismatches.

Wpgraphql

Ensure that the response data types in WPGraphQL match the expected types defined in the schema to prevent type mismatches and potential security vulnerabilities.

Configuration¶

Identifier: schema/response_type_mismatch

Examples¶

Ignore this check¶

checks:
  schema/response_type_mismatch:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API10:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC5
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4

Classification¶

CWE: 573

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/RL:O

References¶

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html