Directive overloading

Description

Directive Overloading occurs when a user can send a query with many consecutive directives and overload the engine handling those directives.

Remediation

Limit the number of directives allowed in a query. This should be handled by the GraphQL engine while parsing the document, otherwise this can lead to a heap overflow.

GraphQL Specific

Apollo

Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our GraphQL Armor middleware to limit the number of directives allowed in a query.

Graphqlyoga

Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our GraphQL Armor middleware to limit the number of directives allowed in a query.

Configuration

Identifier: resource_limitation/graphql_directive_overload

Options

threshold : Maximum number of directives allowed before raising an alert in the fast check.

Examples

Ignore this check

{
    "checks": {
        "resource_limitation/graphql_directive_overload": {
            "skip": true
        }
    }
}

Score

Escape Severity: MEDIUM
- OWASP: API8:2023
- CWE
  - 20
  - 400
  - 664
  - 770

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
CVSS_SCORE: 6.9

Directive overloading

Description​

Remediation​

GraphQL Specific​

Configuration​

Options​

Examples​

Ignore this check​

Score​

CVSS​