Typing misconfiguration
Description
Look for typing misconfigurations by checking if a mutation parameter with the wrong parameter type succeeds.
Remediation
Do not resolve queries with a wrong argument type.
GraphQL Specific
Apollo
Ensure that all configurations in the Apollo framework engine are correctly set according to the official Apollo documentation. Double-check environment variables, API endpoints, and other settings for accuracy. Use a version control system to track changes and facilitate rollback in case of misconfiguration. Additionally, consider implementing automated checks or a configuration management tool to validate settings before deployment.
Yoga
Ensure that the Yoga framework engine configuration files are correctly set with the appropriate parameters, paying close attention to syntax and data types. Validate the configuration by using schema validation tools or built-in framework validators if available. Regularly review and test the configuration in a controlled environment before deploying to production.
Awsappsync
To address typing misconfigurations in AWS AppSync, ensure that your schema definitions match the expected types in your resolvers. Validate the schema with AWS AppSync's built-in tools before deployment. Additionally, implement unit tests for your resolvers to catch typing issues early in the development process. Use AWS CloudFormation or the AWS CLI to automate and roll back deployments in case of configuration errors.
Graphqlgo
Ensure proper validation and sanitization of user inputs to prevent injection attacks. Implement strict type checking and use parameterized queries or prepared statements to handle data passed to the GraphQL engine. Regularly review and update security configurations and dependencies to mitigate potential vulnerabilities.
Graphqlruby
Ensure that the GraphQL Ruby framework is properly configured to use prepared statements or parameterized queries to prevent potential injection attacks. Regularly review and update the configuration settings to maintain security as the application evolves.
Hasura
Ensure that the Hasura GraphQL engine configuration is set correctly by reviewing the environment variables and settings in the config.yaml file. Verify that the database connection strings, API ports, and other critical settings are accurate and secure. Additionally, use role-based access control to restrict permissions and apply policies that enforce strong security practices. Regularly update the Hasura engine to the latest version to benefit from security patches and improvements.
REST Specific
Asp_net
Ensure strong typing in ASP.NET by using explicit data types and model binding. Validate all inputs against expected types and handle parsing errors gracefully to prevent type-related vulnerabilities.
Ruby_on_rails
In Ruby on Rails, ensure strong parameter validation by using the built-in require and permit methods to whitelist allowed parameters. Additionally, employ Active Record validations to enforce data types and constraints at the model level.
Next_js
Ensure proper validation of input types and implement strict type checking in API endpoints to prevent typing misconfigurations in the Next.js application.
Laravel
In Laravel, ensure that you are using Eloquent ORM or the query builder's parameter binding to prevent typing misconfigurations and SQL injection vulnerabilities. Avoid using raw queries with user input. Always validate and sanitize input data.
Express_js
Ensure proper validation of input types and implement middleware such as express-validator to check for data types and patterns before processing requests.
Django
In Django, ensure that all query parameters are properly escaped by using the ORM's built-in querysets or by employing parameterized queries with raw() or execute() methods. Avoid string formatting or concatenation to prevent SQL injection vulnerabilities.
Symfony
In Symfony, ensure that you use the built-in form component with proper data types and validation rules to prevent typing misconfigurations. Additionally, leverage the ParamConverter feature for type-hinting and automatic validation of request parameters.
Spring_boot
Ensure strong typing in Spring Boot by using DTOs (Data Transfer Objects) with proper validation annotations, and leverage Spring's built-in type conversion to prevent type-related misconfigurations. Additionally, use @Valid on controller method parameters to enforce validation rules.
Flask
Ensure proper type checking of user inputs and utilize Flask-WTF or similar extensions to validate form data. Implement custom validation logic if necessary to catch typing misconfigurations.
Nuxt
Ensure proper validation of input types and implement strict type checking before passing data to components or API endpoints in Nuxt.js applications to prevent typing misconfigurations.
Fastapi
In FastAPI, ensure that all endpoint parameters are explicitly typed and validated using Pydantic models or FastAPI's built-in validation. Use dependency injection to share common validation logic across endpoints.
Configuration
Identifier:
schema/typing_misconfiguration
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
schema/typing_misconfiguration:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
- OWASP: API10:2023
- pci: 6.5.1
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-4
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/RL:O/RC:C