Skip to main content

Character limit

Description​

Clients using GraphQL may craft a query with a huge amount of characters. This could lead to potential DoS attacks or information leakage.

Remediation​

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

This naΓ―ve approach will not prevent clever hackers from crafting costly requests if short field names are available. One should prefer the better but more difficult to implement "query complexity" method and set a complexity threshold instead.

GraphQL Specific​

Apollo

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

Install our open source package GraphQL Armor for Apollo.

Graphqlyoga

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

Install our open source package GraphQL Armor for Yoga.

Otherwise, you can use the standalone envelop plugin directly.

Awsappsync

Add ACL rule to prevent requests bigger than a threshold. (e.g., 3000 characters) This would be entered into the Rule JSON editor when creating a web ACL in the AWS WAF Console :

{
  "Name": "BodySizeRule",
  "Priority": 1,
  "RuleAction": {
    "Block": {}
  },
  "Statement": {
    "SizeConstraintStatement": {
      "ComparisonOperator": "GE",
      "FieldToMatch": {
        "Body": {}
      },
      "Size": 3000,
      "TextTransformations": [
        {
          "Priority": 0,
          "Type": "NONE"
        }
      ]
    }
  },
  "VisibilityConfig": {
    "CloudWatchMetricsEnabled": true,
    "MetricName": "BodySizeRule",
    "SampledRequestsEnabled": true
  }
}

Don't forget to associate the previously created ACL rule with your AppSync API.

For more information refer to :

AWS AppSync - Developer Guide

Integrate an AppSync API with AWS WAF

AWS Web Application Firewall

Graphqlgo

You can limit query size with a net/http middlware.

func limitBodySize(next http.Handler, limit int64) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    limitedBody := http.MaxBytesReader(w, r.Body, limit)
    bodyBytes, err := ioutil.ReadAll(limitedBody)
    limitedBody.Close()
    if err != nil {
      message := "{\"errors\": [{\"message\": \"Request too large.\"}],\"data\": null}"
      w.Write([]byte(message))
    } else {
      r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
      next.ServeHTTP(w, r)
    }
  })
}

func main(){
  ...
  h := handler.New(&handler.Config{
    Schema:   &schema
  })
  http.Handle("/graphql", limitBodySize(h, 3000))
}

Configuration​

Identifier: resource_limitation/character_limit

Options​

  • threshold : Maximum characters before raising an alert (-1 = infinite)

Examples​

Ignore this check​

{
    "checks": {
        "resource_limitation/character_limit": {
            "skip": true
        }
    }
}

Score​

  • Escape Severity: LOW
    • OWASP: API8:2023
    • PCI DSS: 6.5.8
    • CWE
      • 20
      • 400
      • 664
      • 770
    • WASC: WASC-10

CVSS​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
  • CVSS_SCORE: 4.9

References​