-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #173 from Ostorlab/features/Add-GRAPHQL_CIRCULAR_R…
…EFERENCES-kb Add `GRAPHQL_CIRCULAR_REFERENCES` kb.
- Loading branch information
Showing
3 changed files
with
131 additions
and
0 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
GraphQL allows clients to request specific data, and its flexibility can be exploited to create complex or recursive queries. Circular references occur when an object type refers back to itself directly or indirectly through other types. | ||
|
||
For example: | ||
```graphql | ||
query CircularReferences { | ||
user { | ||
friends { | ||
user { | ||
friends { | ||
user { | ||
__typename | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
``` | ||
|
||
Security Impact of Circular References in GraphQL: | ||
|
||
- **Denial of Service**: By sending a large query with too many nested references, an attacker can overwhelm the server, causing it to slow down or crash. | ||
- **Resource Exhaustion**: The server may run out of memory or CPU resources while processing the query, leading to performance degradation or service unavailability. |
35 changes: 35 additions & 0 deletions
35
WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"risk_rating": "medium", | ||
"title": "GraphQL Circular References", | ||
"short_description": "Circular references in GraphQL where a field references itself or another field that references the original field can lead to infinite loops and DoS attacks.", | ||
"references": { | ||
"imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries" | ||
}, | ||
"privacy_issue": false, | ||
"security_issue": true, | ||
"categories": { | ||
"CWE_TOP_25": [ | ||
"CWE_400" | ||
], | ||
"PCI_STANDARDS": [ | ||
"REQ_6_2", | ||
"REQ_6_4", | ||
"REQ_11_3" | ||
], | ||
"OWASP_MASVS_L2": [ | ||
"MSTG_PLATFORM_2" | ||
], | ||
"OWASP_ASVS_L3": [ | ||
"V13_4_1" | ||
], | ||
"SOC2_CONTROLS": [ | ||
"CC_2_1", | ||
"CC_4_1", | ||
"CC_7_1", | ||
"CC_7_2", | ||
"CC_7_4", | ||
"CC_7_5", | ||
"CC_9_1" | ||
] | ||
} | ||
} |
73 changes: 73 additions & 0 deletions
73
WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
To mitigate the risk of circular references in GraphQL, you can follow these recommendations: | ||
1. **Depth Limiting**: | ||
Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit. | ||
Example: | ||
=== "python" | ||
```python | ||
class DepthAnalysisMiddleware: | ||
def resolve(self, next, root, info, **args): | ||
if info.operation.selection_set: | ||
depth = 0 | ||
for field in info.operation.selection_set.selections: | ||
depth = max(depth, self._get_depth(field)) | ||
if depth > 3: | ||
raise Exception('Query depth is too high') | ||
return next(root, info, **args) | ||
|
||
def _get_depth(self, field): | ||
if field.selection_set: | ||
return 1 + max(self._get_depth(f) for f in field.selection_set.selections) | ||
return 1 | ||
``` | ||
|
||
|
||
2. **Circular Reference Detection**: | ||
Redesign the schema to avoid circular references. | ||
Example of Circular Reference: | ||
=== "python" | ||
```python | ||
class User(graphene.ObjectType): | ||
id = graphene.ID() | ||
name = graphene.String() | ||
friends = graphene.List(lambda: User) | ||
|
||
def resolve_friends(self, info): | ||
return [User(id=1, name='Alice'), User(id=2, name='Bob')] | ||
``` | ||
|
||
Example of redesigned Schema: | ||
=== "python" | ||
```python | ||
class FriendProfile(graphene.ObjectType): | ||
id = graphene.ID() | ||
name = graphene.String() | ||
|
||
class User(graphene.ObjectType): | ||
id = graphene.ID() | ||
name = graphene.String() | ||
friends = graphene.List(FriendProfile) | ||
|
||
def resolve_friends(self, info): | ||
return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] | ||
``` | ||
|
||
|
||
=== "JavaScript" | ||
```javascript | ||
const FriendProfile = new GraphQLObjectType({ | ||
name: 'FriendProfile', | ||
fields: { | ||
id: { type: GraphQLID }, | ||
name: { type: GraphQLString } | ||
} | ||
}); | ||
|
||
const User = new GraphQLObjectType({ | ||
name: 'User', | ||
fields: { | ||
id: { type: GraphQLID }, | ||
name: { type: GraphQLString }, | ||
friends: { type: new GraphQLList(FriendProfile) } | ||
} | ||
}); | ||
``` |