Skip to content

Typing misconfiguration

Description

Look for typing misconfigurations by checking if a mutation parameter with the wrong parameter type succeeds.

Remediation

Do not resolve queries with a wrong argument type.

GraphQL Specific

Apollo Ensure that all configurations in the Apollo framework engine are correctly set according to the official Apollo documentation. Double-check environment variables, API endpoints, and other settings for accuracy. Use a version control system to track changes and facilitate rollback in case of misconfiguration. Additionally, consider implementing automated checks or a configuration management tool to validate settings before deployment.
Yoga Ensure that the Yoga framework engine configuration files are correctly set with the appropriate parameters, paying close attention to syntax and data types. Validate the configuration by using schema validation tools or built-in framework validators if available. Regularly review and test the configuration in a controlled environment before deploying to production.
Awsappsync To address typing misconfigurations in AWS AppSync, ensure that your schema definitions match the expected types in your resolvers. Validate the schema with AWS AppSync's built-in tools before deployment. Additionally, implement unit tests for your resolvers to catch typing issues early in the development process. Use AWS CloudFormation or the AWS CLI to automate and roll back deployments in case of configuration errors.
Graphqlgo Ensure proper validation and sanitization of user inputs to prevent injection attacks. Implement strict type checking and use parameterized queries or prepared statements to handle data passed to the GraphQL engine. Regularly review and update security configurations and dependencies to mitigate potential vulnerabilities.
Graphqlruby Ensure that the GraphQL Ruby framework is properly configured to use prepared statements or parameterized queries to prevent potential injection attacks. Regularly review and update the configuration settings to maintain security as the application evolves.
Hasura Ensure that the Hasura GraphQL engine configuration is set correctly by reviewing the environment variables and settings in the `config.yaml` file. Verify that the database connection strings, API ports, and other critical settings are accurate and secure. Additionally, use role-based access control to restrict permissions and apply policies that enforce strong security practices. Regularly update the Hasura engine to the latest version to benefit from security patches and improvements.
Agoo Ensure correct parameter types in mutation operations to prevent typing misconfigurations in the Agoo framework.
Ariadne Ensure correct type validation for mutation parameters in the Ariadne framework to prevent misconfigurations.
Caliban Ensure correct GraphQL type definitions in Caliban by validating mutation parameters against expected types.
Dgraph Ensure correct data types in mutation parameters by validating input types before execution in the Dgraph framework.
Dianajl Ensure correct data types are enforced for all mutation parameters in the Dianajl framework engine to prevent typing misconfigurations.
Directus Ensure correct data types in Directus by validating schema definitions and using type-safe mutations.
Flutter Ensure type safety by using Dart's strong typing features and validate parameter types at compile time to prevent typing misconfigurations in Flutter applications.
Graphene Ensure correct type definitions in Graphene by validating mutation parameters against the expected types in the schema.
Graphqlapiforwp Ensure that all GraphQL API parameters in the graphqlapiforwp framework are correctly typed to prevent misconfigurations and potential security vulnerabilities.
Graphqlgophergo Ensure correct type definitions in GraphQL schema to prevent typing misconfigurations.
Graphqljava Ensure correct type definitions in GraphQL schema and validate input types at runtime to prevent typing misconfigurations.
Graphqlphp Ensure correct type definitions in GraphQL schema to prevent typing misconfigurations.
Graphqlyoga Ensure correct type definitions in your GraphQL schema to prevent typing misconfigurations.
Hypergraphql Ensure correct data types in mutation parameters by validating input types against the schema before execution in the HyperGraphQL engine.
Jaal Ensure that all mutation parameters in the Jaal framework engine are correctly typed to prevent misconfigurations.
Juniper Ensure correct data types in mutation parameters to prevent typing misconfigurations in the Juniper framework engine.
Lacinia Ensure correct type definitions in Lacinia schema to prevent typing misconfigurations.
Lighthouse Ensure correct typing in mutation parameters by validating parameter types before execution in the Lighthouse framework.
Mercurius Ensure correct typing in Mercurius by validating mutation parameters against expected types before execution.
Morpheusgraphql Ensure correct parameter types in Morpheus GraphQL by validating mutation parameters against expected types before execution.
Qglgen Ensure correct type definitions in GraphQL schema and resolvers to prevent typing misconfigurations in gqlgen framework.
Sangria Ensure correct type definitions in schema to prevent typing misconfigurations in Sangria.
Shopify Ensure that all input parameters in the Shopify framework are correctly typed and validated to prevent misconfigurations and potential security vulnerabilities.
Stepzen Ensure correct data types in mutation parameters by validating input types against the schema in the StepZen framework.
Strawberry Ensure correct typing by validating mutation parameters against expected types in the Strawberry framework.
Tartiflette Ensure correct typing in mutation parameters by validating parameter types in the Tartiflette engine.
Wpgraphql Ensure correct data types in GraphQL mutations by validating input types against the schema before execution.

REST Specific

Asp_net Ensure strong typing in ASP.NET by using explicit data types and model binding. Validate all inputs against expected types and handle parsing errors gracefully to prevent type-related vulnerabilities.
Ruby_on_rails In Ruby on Rails, ensure strong parameter validation by using the built-in `require` and `permit` methods to whitelist allowed parameters. Additionally, employ Active Record validations to enforce data types and constraints at the model level.
Next_js Ensure proper validation of input types and implement strict type checking in API endpoints to prevent typing misconfigurations in the Next.js application.
Laravel In Laravel, ensure that you are using Eloquent ORM or the query builder's parameter binding to prevent typing misconfigurations and SQL injection vulnerabilities. Avoid using raw queries with user input. Always validate and sanitize input data.
Express_js Ensure proper validation of input types and implement middleware such as `express-validator` to check for data types and patterns before processing requests.
Django In Django, ensure that all query parameters are properly escaped by using the ORM's built-in querysets or by employing parameterized queries with `raw()` or `execute()` methods. Avoid string formatting or concatenation to prevent SQL injection vulnerabilities.
Symfony In Symfony, ensure that you use the built-in form component with proper data types and validation rules to prevent typing misconfigurations. Additionally, leverage the ParamConverter feature for type-hinting and automatic validation of request parameters.
Spring_boot Ensure strong typing in Spring Boot by using DTOs (Data Transfer Objects) with proper validation annotations, and leverage Spring's built-in type conversion to prevent type-related misconfigurations. Additionally, use @Valid on controller method parameters to enforce validation rules.
Flask Ensure proper type checking of user inputs and utilize Flask-WTF or similar extensions to validate form data. Implement custom validation logic if necessary to catch typing misconfigurations.
Nuxt Ensure proper validation of input types and implement strict type checking before passing data to components or API endpoints in Nuxt.js applications to prevent typing misconfigurations.
Fastapi In FastAPI, ensure that all endpoint parameters are explicitly typed and validated using Pydantic models or FastAPI's built-in validation. Use dependency injection to share common validation logic across endpoints.
Frappe Ensure that all DocType fields in the Frappe framework have the correct data types defined to prevent typing misconfigurations.
Genzio Ensure correct data types are enforced for all mutation parameters in the Genzio framework engine to prevent typing misconfigurations.
Gin Ensure correct data types in Gin framework by validating request parameters and using binding tags to enforce type constraints.
Gorilla Ensure correct parameter types in mutation operations within the Gorilla framework by validating input types before execution.
Hapi Validate payloads using Joi schemas to ensure correct data types in Hapi.js applications.
Hono Ensure correct parameter types in mutation operations by validating input types before execution in the Hono framework engine.
Jersey Ensure that all resource methods in the Jersey framework have correctly typed parameters to prevent misconfigurations and potential runtime errors.
Koa Ensure correct parameter types in Koa middleware by validating request parameters and using type-checking libraries.
Ktor Ensure correct typing in Ktor by validating request parameters against expected types and using type-safe builders.
Leptos Ensure correct type annotations in Leptos framework components to prevent typing misconfigurations.
Macaron Ensure correct typing in mutation parameters by validating parameter types before execution in the Macaron framework.
Phoenix Ensure proper type validation in Phoenix by using Ecto changesets to enforce data integrity and prevent typing misconfigurations.
Redwoodjs Ensure correct type definitions in RedwoodJS by validating GraphQL mutations and queries against the schema to prevent typing misconfigurations.
Rocket Ensure correct typing in mutation parameters by validating parameter types before execution in Rocket framework.
Sveltekit Ensure correct typing in SvelteKit by validating mutation parameters against expected types and using TypeScript for type safety.

Configuration

Identifier: schema/typing_misconfiguration

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  schema/typing_misconfiguration:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM07:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/RL:O/RC:C

References