Batch Limit
Description
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently. However, an attacker can leverage this feature to evade many security measures, including rate limiting.
Remediation
Disable or limit queries batching in your GraphQL engine.
GraphQL Specific
Apollo
To address potential issues within the Apollo framework engine, ensure that all dependencies are up-to-date, utilize the built-in security features such as schema validation and rate limiting, and follow best practices for error handling and logging. Regularly review the Apollo documentation for any updates on security advisories and recommended practices.
Yoga
For the Yoga framework engine, ensure that all user inputs are properly sanitized to prevent injection attacks. Implement input validation checks to restrict the type and format of data that can be entered. Regularly update the framework and its dependencies to patch any known vulnerabilities. Additionally, consider using security middleware that can help protect against common web threats. Always follow best practices for security within the Yoga framework environment.
Awsappsync
To address potential issues with the AWS AppSync framework engine, ensure that you implement batch limits to prevent overloading the system. This can be achieved by setting appropriate limits on the number of records processed in a single batch request. Additionally, monitor the performance and adjust the batch sizes as necessary to optimize throughput while maintaining system stability.
Graphqlgo
To mitigate the risk of injection attacks in the GraphQL Go framework, ensure that all user-supplied inputs are validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive information through error messages. Regularly review and update your security practices to address new and emerging threats.
Graphqlruby
In the GraphQL Ruby framework, ensure that you implement batch loading to avoid the N+1 query problem. Utilize the batch-loader gem or the built-in GraphQL::Batch mechanism to efficiently load associated records in a single query. This will help in reducing the number of database hits and improve the performance of your GraphQL API. Additionally, set a limit on the maximum query depth and complexity to prevent overly complex queries from overloading the server. Use the max_depth and max_complexity settings provided by the framework to enforce these limits.
Hasura
To prevent potential performance issues with the Hasura framework engine, it is recommended to implement a batch limit on queries. This can be achieved by setting a maximum number of rows that can be fetched or mutated in a single request. You can configure this limit in the Hasura console under the 'Settings' tab, or by using the HASURA_GRAPHQL_BATCH_SIZE environment variable. By enforcing a batch limit, you ensure that the system remains responsive and stable, even when handling large datasets or complex queries.
Configuration
Identifier:
resource_limitation/graphql_batch_limit
Options
- threshold : Maximum number of batched documents allowed to be sent
Examples
Ignore this check
checks:
resource_limitation/graphql_batch_limit:
skip: true
Score
- Escape Severity: LOW
Compliance
- OWASP: API8:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-2
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
- CVSS_SCORE: 4.9