Directive overloading

Description

Directive Overloading occurs when a user can send a query with many consecutive directives and overload the engine handling those directives.

Remediation

Limit the number of directives allowed in a query. This should be handled by the GraphQL engine while parsing the document, otherwise this can lead to a heap overflow.

Apollo

Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our GraphQL Armor middleware to limit the number of directives allowed in a query.

Graphqlyoga

Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our GraphQL Armor middleware to limit the number of directives allowed in a query.

Configuration

CheckId: dos/directive_overloading

Options

threshold : Maximum number of directives allowed before raising an alert in the fast check.

Examples

Ignoring this check

{
    "checks": {
        "dos/directive_overloading": {
            "skip": true
        }
    }
}

Check with all default options

{
    "checks": {
        "dos/directive_overloading": {
            "options": {
                "threshold": 50
            }
        }
    }
}

Score

Escape Severity: MEDIUM
OWASP: A08:2023
CWE
- 20
- 400
- 664
- 770

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
CVSS_SCORE: 6.9

References

no-reference-available-yet

Directive overloading

Description​

Remediation​

Configuration​

Options​

Examples​

Ignoring this check​

Check with all default options​

Score​

CVSS​

References​