Merge pull request #173 from Ostorlab/features/Add-GRAPHQL_CIRCULAR_R…

…EFERENCES-kb

Add `GRAPHQL_CIRCULAR_REFERENCES` kb.

WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md

@@ -0,0 +1,23 @@
+GraphQL allows clients to request specific data, and its flexibility can be exploited to create complex or recursive queries. Circular references occur when an object type refers back to itself directly or indirectly through other types.
+
+For example:
+```graphql
+ query CircularReferences {
+ user {
+ friends {
+ user {
+ friends {
+ user {
+ __typename
+ }
+ }
+ }
+ }
+ }
+ }
+```
+
+Security Impact of Circular References in GraphQL:
+
+- **Denial of Service**: By sending a large query with too many nested references, an attacker can overwhelm the server, causing it to slow down or crash.
+- **Resource Exhaustion**: The server may run out of memory or CPU resources while processing the query, leading to performance degradation or service unavailability.

WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json

@@ -0,0 +1,35 @@
+{
+ "risk_rating": "medium",
+ "title": "GraphQL Circular References",
+ "short_description": "Circular references in GraphQL where a field references itself or another field that references the original field can lead to infinite loops and DoS attacks.",
+ "references": {
+ "imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries"
+ },
+ "privacy_issue": false,
+ "security_issue": true,
+ "categories": {
+ "CWE_TOP_25": [
+ "CWE_400"
+ ],
+ "PCI_STANDARDS": [
+ "REQ_6_2",
+ "REQ_6_4",
+ "REQ_11_3"
+ ],
+ "OWASP_MASVS_L2": [
+ "MSTG_PLATFORM_2"
+ ],
+ "OWASP_ASVS_L3": [
+ "V13_4_1"
+ ],
+ "SOC2_CONTROLS": [
+ "CC_2_1",
+ "CC_4_1",
+ "CC_7_1",
+ "CC_7_2",
+ "CC_7_4",
+ "CC_7_5",
+ "CC_9_1"
+ ]
+ }
+}

WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md

@@ -0,0 +1,73 @@
+To mitigate the risk of circular references in GraphQL, you can follow these recommendations:
+1. **Depth Limiting**:
+Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit.
+Example:
+=== "python"
+ ```python
+ class DepthAnalysisMiddleware:
+ def resolve(self, next, root, info, **args):
+ if info.operation.selection_set:
+ depth = 0
+ for field in info.operation.selection_set.selections:
+ depth = max(depth, self._get_depth(field))
+ if depth > 3:
+ raise Exception('Query depth is too high')
+ return next(root, info, **args)
+
+ def _get_depth(self, field):
+ if field.selection_set:
+ return 1 + max(self._get_depth(f) for f in field.selection_set.selections)
+ return 1
+ ```
+
+
+2. **Circular Reference Detection**:
+Redesign the schema to avoid circular references.
+Example of Circular Reference:
+=== "python"
+ ```python
+ class User(graphene.ObjectType):
+ id = graphene.ID()
+ name = graphene.String()
+ friends = graphene.List(lambda: User)
+
+ def resolve_friends(self, info):
+ return [User(id=1, name='Alice'), User(id=2, name='Bob')]
+ ```
+
+Example of redesigned Schema:
+=== "python"
+ ```python
+ class FriendProfile(graphene.ObjectType):
+ id = graphene.ID()
+ name = graphene.String()
+
+ class User(graphene.ObjectType):
+ id = graphene.ID()
+ name = graphene.String()
+ friends = graphene.List(FriendProfile)
+
+ def resolve_friends(self, info):
+ return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')]
+ ```
+
+
+=== "JavaScript"
+ ```javascript
+ const FriendProfile = new GraphQLObjectType({
+ name: 'FriendProfile',
+ fields: {
+ id: { type: GraphQLID },
+ name: { type: GraphQLString }
+ }
+ });
+
+ const User = new GraphQLObjectType({
+ name: 'User',
+ fields: {
+ id: { type: GraphQLID },
+ name: { type: GraphQLString },
+ friends: { type: new GraphQLList(FriendProfile) }
+ }
+ }); 
+ ```