Character limit
Descriptionβ
Clients using GraphQL may craft a query with a huge amount of characters. This could lead to potential DoS attacks or information leakage.
Remediationβ
Reject requests containing more than a certain number of characters.
For instance, 15000 is a coherent threshold for characters.
This naΓ―ve approach will not prevent clever hackers from crafting costly requests if short field names are available. One should prefer the better but more difficult to implement "query complexity" method and set a complexity threshold instead.
GraphQL Specificβ
Apollo
Ensure proper input validation and sanitization to prevent injection attacks when using Apollo framework engine.
Yoga
To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions, adhere to best practices in error handling, and maintain a consistent code review process to identify potential vulnerabilities or bugs early in the development cycle.
Awsappsync
Ensure that AWS AppSync resolvers are using VTL templates to sanitize and validate input data to prevent injection attacks. Implement authorization checks and configure service limits to mitigate against denial-of-service attacks.
Graphqlgo
To mitigate potential security risks in the GraphQL Go framework engine, ensure that all user-supplied inputs are validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update dependencies to their latest secure versions. Additionally, consider using a query complexity analysis tool to prevent resource exhaustion attacks.
Graphqlruby
Ensure proper input validation and sanitization to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the types and shapes of allowable queries. Additionally, consider implementing query complexity analysis to prevent overly complex queries from consuming excessive resources.
Hasura
To ensure the security and efficiency of your Hasura GraphQL engine, always use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, validate and sanitize all user inputs to maintain the integrity of your database operations.
Configurationβ
Identifier:
resource_limitation/character_limit
Optionsβ
- threshold : Maximum characters before raising an alert (-1 = infinite)
Examplesβ
Ignore this checkβ
checks:
resource_limitation/character_limit:
skip: true
Scoreβ
- Escape Severity: LOW
Complianceβ
- OWASP: API8:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-4
Classificationβ
Scoreβ
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
- CVSS_SCORE: 4.9