Field limit
Description
Attackers may craft complex queries by requesting a significant number of fields.
This could lead to potential DoS attacks or information leakage.
Remediation
Limit query complexity by using a library specific to your engine.
GraphQL Specific
Apollo
To address potential issues with the Apollo framework engine, ensure that all dependencies are up to date, utilize the built-in security features such as schema validation and rate limiting, and follow best practices for error handling and logging. Regularly review the Apollo documentation for any updates on security advisories and recommended practices.
Yoga
To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions to benefit from security patches and performance improvements. Regularly review the framework's documentation for best practices on security and efficiency. Additionally, consider implementing a thorough testing strategy that includes unit tests, integration tests, and end-to-end tests to catch potential problems early in the development cycle. Monitor the application's performance and error logs to quickly identify and resolve any issues that may arise.
Awsappsync
To address limitations in the AWS AppSync framework, ensure that your GraphQL schema is designed to handle complexity and size within the service's constraints. Optimize resolvers by batching requests and using caching mechanisms to reduce the load on data sources. Implement pagination to manage large datasets and avoid exceeding field limits. Monitor and adjust the performance of your AppSync API with CloudWatch metrics and logs. If necessary, consider splitting your API into multiple smaller, more focused GraphQL endpoints to stay within the field limits and maintain efficient data retrieval.
Graphqlgo
To mitigate potential security risks in the GraphQL Go framework engine, ensure that all queries are strictly validated against a schema, implement proper authentication and authorization checks, and use query complexity analysis to prevent denial-of-service attacks. Additionally, consider employing field-level permissions to restrict access to sensitive data and apply rate limiting to control the amount of resources a client can consume.
Graphqlruby
In the GraphQL Ruby framework, to prevent potential issues with field limits, it is recommended to implement query complexity analysis to ensure that clients cannot request an excessive amount of data which could lead to performance problems. You can use the built-in analysis features to set a maximum complexity for your queries. Additionally, consider using the max_depth method to limit the depth of queries and avoid deeply nested queries that could impact the stability of your application.
Hasura
To prevent issues related to field limits in the Hasura framework engine, ensure that you define appropriate permissions and access control lists for your GraphQL schema. Use Hasura's built-in mechanisms to set maximum query depths and complexity scores, which can help in preventing resource exhaustion caused by excessively large or deeply nested queries. Additionally, consider implementing custom business logic in your backend to validate and limit the number of fields that can be queried at once, if necessary. Regularly review your schema and optimize it to handle the expected query loads efficiently.
Configuration
Identifier:
resource_limitation/graphql_field_limit
Options
- threshold : Maximum fields before raising an alert (-1 = infinite).
Examples
Ignore this check
checks:
resource_limitation/graphql_field_limit:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
- OWASP: API4:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-6
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1