Recursive Fragment
Description
This is a DoS vulnerability that allows an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users.
Remediation
Implement a maximum recursion limit.
GraphQL Specific
Apollo
To address potential issues within the Apollo framework engine, ensure that all dependencies are up-to-date, follow best practices for schema design, and implement proper error handling. Regularly review the Apollo documentation for updates on security practices and performance improvements. Additionally, consider using Apollo's built-in features for performance monitoring and query optimization to enhance the resilience and efficiency of your GraphQL implementation.
Yoga
To address issues within the Yoga framework engine, ensure that all components are updated to their latest versions to benefit from recent bug fixes and performance improvements. Regularly review the framework's documentation for best practices and utilize the community forums for support. Additionally, consider implementing error handling and logging mechanisms to monitor the system's health and quickly identify areas that require attention.
Awsappsync
To address potential issues with the AWS AppSync framework engine, ensure that you are using the latest version of the service which includes the most recent security patches and performance improvements. Regularly review your schema and resolvers to optimize performance and security. Implement proper authentication and authorization mechanisms to control access to your GraphQL API. Monitor your API usage and set up alerts for unusual patterns that could indicate a problem. Additionally, consider using AWS CloudFormation or the AWS Amplify CLI to manage and provision your AppSync resources in a more controlled and repeatable manner.
Graphqlgo
To address potential security vulnerabilities in the GraphQL Go framework engine, ensure that all user-supplied input is validated and sanitized. Implement proper error handling to avoid leaking sensitive information in error messages. Regularly update the framework to incorporate the latest security patches. Additionally, consider using query complexity analysis to prevent resource exhaustion attacks, and enforce authentication and authorization checks to control access to sensitive data.
Graphqlruby
In the GraphQL Ruby framework, to avoid issues with recursive fragments, ensure that your queries are structured in a way that prevents infinite loops. This can be achieved by defining a maximum depth for queries and using fragment definitions wisely. Utilize the max_depth
option in your schema definition to limit the complexity of the queries and protect against potential denial-of-service attacks. Additionally, consider implementing analysis tools provided by the framework to detect and alert on recursive fragment usage before it affects your application's performance.
Hasura
To address potential issues with the Hasura framework engine, ensure that all GraphQL queries are constructed using parameterized statements to prevent injection attacks. Additionally, regularly update the Hasura engine to the latest version to incorporate security patches and performance improvements. Implement proper access control by configuring role-based permissions carefully, and review the security rules to ensure that sensitive data is protected. Monitor the Hasura logs for any unusual activity that could indicate a security breach or misconfiguration. By following these best practices, you can maintain a secure and efficient Hasura deployment.
Configuration
Identifier:
resource_limitation/graphql_recursive_fragment
Examples
Ignore this check
checks:
resource_limitation/graphql_recursive_fragment:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
OWASP: API8:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SC-5
Classification
- CWE: 770
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
- CVSS_SCORE: 6.9