Skip to content

Zombie object

Description

Zombie objects are objects that are not accessible from any query, mutation,or subscription, but are still declared in your GraphQL schema. Most of the time, zombie objects reveal legacy or unused part of your codebase. Because they are not maintained nor patched, they are a privileged vector of attack and represent a severe security risk for your application.

Remediation

Remove zombie objects from your schema and associated code if they are indeed useless in your codebase, otherwise make them accessible from at least one query, mutation or subscription.

GraphQL Specific

Apollo To address the 'Zombie object' issue within the Apollo framework engine, ensure that all references to objects are properly managed. Implement strong ownership and reference counting practices. Utilize the provided memory management tools and debugging facilities to track down and eliminate any retain cycles or orphaned objects that could lead to 'Zombie object' instances. Regularly review and test your code to prevent memory leaks and unintended object retention.
Yoga To address the 'Zombie object' issue within the Yoga framework engine, ensure that all objects are properly deallocated and references are cleared when they are no longer needed. Implement proper memory management practices, such as utilizing ARC (Automatic Reference Counting) effectively, and make sure to nullify any strong references to objects that should be released. Additionally, consider using weak references for delegates and other objects that may lead to retain cycles. Regularly profile your application with memory debugging tools to detect and fix any potential zombie objects.
Awsappsync To prevent 'Zombie object' issues within the AWS AppSync framework, ensure that all data sources and resolvers are properly managed and disposed of after use. Implement clean-up logic in your resolvers to delete or dereference objects that are no longer needed to avoid memory leaks. Regularly monitor and audit your GraphQL API with AWS CloudWatch to detect and address any anomalies that may indicate lingering objects. Additionally, consider using AWS Lambda functions with automatic scaling to manage resource utilization effectively.
Graphqlgo To mitigate the risk of zombie objects in a GraphQL Go framework engine, ensure proper cleanup of resources and implement a garbage collection strategy. Utilize context cancellation to stop in-flight requests and release associated objects. Regularly review and update your code to manage object lifecycles effectively, preventing memory leaks and potential performance issues.
Graphqlruby In the GraphQL Ruby framework, to prevent the creation of zombie objects, ensure that you properly dispose of objects that are no longer needed. Implement a cleanup strategy within your resolvers and mutations to release resources and avoid memory leaks. Additionally, consider using the `lazy_resolve` method to defer the execution of expensive operations until they are actually needed, which can help in managing resource allocation more efficiently.
Hasura To prevent the occurrence of zombie objects in the Hasura framework engine, ensure that all subscriptions and live queries are properly terminated when no longer needed. Implement cleanup logic to release resources and unsubscribe from events when components are unmounted or when user sessions end. Regularly monitor the active subscriptions and enforce limits if necessary to avoid resource leaks that can lead to zombie objects.
Agoo Ensure all declared objects in your GraphQL schema are actively used or remove them to prevent security risks associated with zombie objects in the Agoo framework.
Ariadne Identify and remove zombie objects from your GraphQL schema in the Ariadne framework to eliminate unused code and reduce security risks. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Caliban Identify and remove zombie objects from your Caliban GraphQL schema to eliminate unused code and reduce security risks. Regularly audit your schema to ensure all objects are necessary and actively used.
Dgraph Identify and remove zombie objects from your Dgraph schema to eliminate unused and potentially vulnerable parts of your codebase. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Dianajl Identify and remove zombie objects from your GraphQL schema in the DianaJL framework engine to eliminate legacy or unused code, thereby reducing security risks and improving code maintainability.
Directus Regularly audit your Directus schema to identify and remove zombie objects. Ensure that all objects in your schema are actively used in queries, mutations, or subscriptions to minimize security risks and maintain a clean codebase.
Flutter Regularly audit and remove unused or legacy code in your Flutter application to prevent potential security vulnerabilities and improve maintainability.
Graphene Identify and remove zombie objects from your GraphQL schema in the Graphene framework to eliminate unused code and reduce security risks. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Graphqlapiforwp Identify and remove zombie objects from your GraphQL schema in the graphqlapiforwp framework to eliminate potential security vulnerabilities and reduce codebase clutter.
Graphqlgophergo Identify and remove zombie objects from your GraphQL schema in the graphqlgophergo framework to eliminate potential security risks and improve code maintainability.
Graphqljava Identify and remove zombie objects from your GraphQL schema to minimize security risks and maintain a clean codebase. Regularly audit your schema to ensure all objects are necessary and actively used.
Graphqlphp Identify and remove zombie objects from your GraphQL schema to eliminate unused and potentially vulnerable code, ensuring a more secure and efficient application.
Graphqlyoga Regularly audit your GraphQL schema in the GraphQL Yoga framework to identify and remove zombie objects, ensuring that all declared objects are actively used and maintained to mitigate security risks.
Hypergraphql Regularly audit and clean up your GraphQL schema to remove zombie objects, ensuring that all declared objects are actively used and maintained to minimize security risks.
Jaal Identify and remove zombie objects from your GraphQL schema in the Jaal framework to eliminate potential security risks and improve code maintainability.
Juniper Ensure all declared objects in your Juniper GraphQL schema are actively used in queries, mutations, or subscriptions. Regularly audit your schema to identify and remove any zombie objects to minimize security risks and maintain a clean codebase.
Lacinia Identify and remove zombie objects from your Lacinia GraphQL schema to eliminate unused code and reduce security risks.
Lighthouse Ensure all declared objects in your GraphQL schema are actively used and accessible through queries, mutations, or subscriptions to prevent security risks associated with zombie objects.
Mercurius Identify and remove zombie objects from your GraphQL schema in the Mercurius framework to eliminate potential security risks and improve code maintainability.
Morpheusgraphql Identify and remove zombie objects from your GraphQL schema in the MorpheusGraphQL framework to eliminate unused code and reduce security risks. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Qglgen Identify and remove zombie objects from your GraphQL schema in the gqlgen framework to eliminate unused code and reduce security risks. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Sangria Regularly audit your GraphQL schema to identify and remove zombie objects, ensuring that all declared objects are actively used and maintained to minimize security risks.
Shopify Identify and remove zombie objects from your GraphQL schema in the Shopify framework to eliminate potential security risks and improve code maintainability.
Stepzen Regularly audit your GraphQL schema in the StepZen framework to identify and remove zombie objects, ensuring that all declared objects are actively used and maintained to mitigate security risks.
Strawberry Regularly audit your GraphQL schema in the Strawberry framework to identify and remove zombie objects, ensuring that all declared objects are actively used and maintained to mitigate security risks.
Tartiflette Identify and remove zombie objects from your GraphQL schema in the Tartiflette framework to eliminate potential security risks. Regularly audit your schema to ensure all objects are necessary and actively used in queries, mutations, or subscriptions.
Wpgraphql Regularly audit your GraphQL schema to identify and remove zombie objects, ensuring that all declared objects are actively used and maintained to minimize security risks.

Configuration

Identifier: schema/zombie_object

Examples

Ignore this check

checks:
  schema/zombie_object:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023
  • OWASP LLM: LLM05:2023
  • pci: 6.5.4
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 489

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVSS_SCORE: 5.3

References