Skip to main content

Character limit

Description​

Clients using GraphQL may craft a query with a huge amount of characters. This could lead to potential DoS attacks or information leakage.

Remediation​

Reject requests containing more than a certain number of characters. For instance, 15000 is a coherent threshold for characters.

This naΓ―ve approach will not prevent clever hackers from crafting costly requests if short field names are available. One should prefer the better but more difficult to implement "query complexity" method and set a complexity threshold instead.

GraphQL Specific​

Apollo

Ensure proper input validation and sanitization to prevent injection attacks when using Apollo framework engine.

Yoga

To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions, adhere to best practices in error handling, and maintain a consistent code review process to identify potential vulnerabilities or bugs early in the development cycle.

Awsappsync

Ensure that AWS AppSync resolvers are using VTL templates to sanitize and validate input data to prevent injection attacks. Implement authorization checks and configure service limits to mitigate against denial-of-service attacks.

Graphqlgo

To mitigate potential security risks in the GraphQL Go framework engine, ensure that all user-supplied inputs are validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update dependencies to their latest secure versions. Additionally, consider using a query complexity analysis tool to prevent resource exhaustion attacks.

Graphqlruby

Ensure proper input validation and sanitization to prevent injection attacks. Use GraphQL's built-in mechanisms to define and enforce the types and shapes of allowable queries. Additionally, consider implementing query complexity analysis to prevent overly complex queries from consuming excessive resources.

Hasura

To ensure the security and efficiency of your Hasura GraphQL engine, always use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, validate and sanitize all user inputs to maintain the integrity of your database operations.

Configuration​

Identifier: resource_limitation/character_limit

Options​

  • threshold : Maximum characters before raising an alert (-1 = infinite)

Examples​

Ignore this check​

checks:
resource_limitation/character_limit:
skip: true

Score​

  • Escape Severity: LOW

Compliance​

  • OWASP: API8:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-4

Classification​

  • CWE: 400

Score​

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R
  • CVSS_SCORE: 4.9

References​