Skip to main content

Cyclic Recursive Query

Description

A circular introspection query has successded on the system. This can be exploited to conduct a Denial of Service attack.

By calling several objects that reference each other, an attacker can create a circular reference.

__schema {
  types {
    fields {
      type {
        fields {
          type ... and so on infinitely
        }
      }
    }
  }
}

Creating a circular reference will increase the size of the returned document exponentially. The larger your schema is, the bigger the document will be.

This DOS attack is hard to exploit as the size of the query might be limited by a server before reaching your backend.

Remediation

To prevent circular introspection from being abused:

  • Limit the maximum depth of the introspection query.
  • Limit the maximum elapsed time to execute a GraphQL query.
  • Disable your introspection.

GraphQL Specific

Apollo

To address the issue of cyclic recursive queries within the Apollo framework engine, it is recommended to implement checks that detect cycles in the query structure. This can be achieved by maintaining a record of visited nodes or resolvers and verifying that a node is not revisited within the same query execution context. Additionally, consider setting a maximum depth for queries and using Apollo's query cost analysis to prevent overly complex queries from being executed. By doing so, you can prevent infinite recursion and ensure the stability and performance of your GraphQL service.

Yoga

To address the issue of cyclic recursive queries in the Yoga framework engine, it is recommended to implement checks that detect cycles in the query structure. This can be achieved by maintaining a record of visited nodes or paths and verifying that a new query does not reintroduce a previously visited node. Additionally, setting a maximum depth for recursive queries can prevent infinite recursion. If the framework allows, consider using built-in features or plugins that manage query depth and complexity. Always validate and sanitize user input to prevent malicious queries from exploiting recursive functionalities.

Awsappsync

To prevent issues with cyclic recursive queries in AWS AppSync, it is recommended to implement depth limiting in your resolvers. This can be achieved by setting a maximum depth for queries and using a depth counting mechanism to track the resolver's call depth. Additionally, consider using query complexity analysis to assign costs to fields and types, and enforce a maximum query cost. This helps to mitigate the risk of overly complex or malicious queries affecting the performance and stability of your GraphQL API.

Graphqlgo

To mitigate the risk of cyclic recursive queries in a GraphQL Go framework engine, implement depth limiting to restrict the complexity of the queries that can be executed. Additionally, consider using query cost analysis techniques to assign costs to different fields and types, and enforce a maximum query cost. This can be complemented with throttling based on the client's request rate to prevent abuse. It's also advisable to use persistent queries to allow only pre-approved query operations. Ensure proper monitoring and logging of query patterns to detect and respond to potential abuse.

Graphqlruby

To mitigate the risk of cyclic recursive queries in the GraphQL Ruby framework, implement query depth analysis to limit the complexity of accepted queries. Use the max_depth option provided by the framework to define the maximum allowed depth for queries. Additionally, consider employing query cost analysis techniques to assign costs to different fields and types, and set a maximum query cost to prevent overly complex queries from being executed. Regularly review and adjust these limits based on the application's performance and requirements.

Hasura

To prevent issues with cyclic recursive queries in Hasura, ensure that you set depth limits for queries in the Hasura console under 'Settings' > 'Limits'. Additionally, use query complexity analysis to assign costs to fields and use these costs to limit the depth and breadth of each query. This helps in avoiding performance bottlenecks and potential denial of service attacks caused by deeply nested queries.

Configuration

Identifier: resource_limitation/graphql_circular_introspection

Examples

Ignore this check

checks:
  resource_limitation/graphql_circular_introspection:
    skip: true

Score

  • Escape Severity: INFO

Compliance

  • OWASP: API8:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-97
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:R
  • CVSS_SCORE: 4.4