Skip to main content

Field limit

Description

Attackers may craft complex queries by requesting a significant number of fields.

This could lead to potential DoS attacks or information leakage.

Remediation

Limit query complexity by using a library specific to your engine.

GraphQL Specific

Apollo

Add a module to compute query complexity and set a threshold so that overly broad requests get canceled.

For a user-friendly module which requires no schema modification whatsoever, check out the graphql-validation-complexity module.

import { createComplexityLimitRule } from 'graphql-validation-complexity';

const ComplexityLimitRule = createComplexityLimitRule(1000);

const apolloServer = new ApolloServer({
    ...
    validationRules: [ComplexityLimitRule],
});

For a more customizable module that lets you manually configure the cost of each field/type of your schema, take a look at the graphql-cost-analysis module.

This second option is best suited for a more realistic complexity estimator as all fields may not be equal in terms of complexity.

To learn more about complexity estimation, you can read: Securing Your GraphQL API from Malicious Queries.

Source: https://escape.tech/blog/9-graphql-security-best-practices/.

Graphqlphp
use GraphQL\GraphQL;
use GraphQL\Validator\Rules\QueryComplexity;
use GraphQL\Validator\DocumentValidator;

$rule = new QueryComplexity($maxQueryComplexity = 100);
DocumentValidator::addRule($rule);

GraphQL::executeQuery(/*...*/);

Source: https://github.com/webonyx/graphql-php/blob/master/docs/security.md#query-complexity-analysis

Hasura

Limit the number of fecthed fields with Response Limiting. To learn how to implement it, check out Hasura's Response Limiting guide.

Graphene

With graphene-django, it is possible to implement a custom GraphQL backend to limit query complexity, such as this one: graphene-django query cost analysis / complexity limits.

Configuration

Identifier: resource_limitation/graphql_field_limit

Options

  • threshold : Maximum fields before raising an alert (-1 = infinite).

Examples

Ignore this check

{
    "checks": {
        "resource_limitation/graphql_field_limit": {
            "skip": true
        }
    }
}

Score

  • Escape Severity: MEDIUM
    • OWASP: API4:2023
    • PCI DSS: 6.5.8
    • CWE
      • 20
      • 400
      • 664
      • 770
    • WASC: WASC-10

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References