From c5a7e8450792459a7939ba892544e625dc74df5d Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Fri, 13 Sep 2024 15:56:13 +0100 Subject: [PATCH 1/9] Add `GRAPHQL_CIRCULAR_REFERENCES` kb. --- .../description.md | 23 +++++++++ .../GRAPHQL_CIRCULAR_REFERENCES/meta.json | 36 ++++++++++++++ .../recommendation.md | 49 +++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md create mode 100644 WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json create mode 100644 WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md new file mode 100644 index 00000000..47eef4e7 --- /dev/null +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md @@ -0,0 +1,23 @@ +GraphQL allows clients to request specific data, and its flexibility can be exploited to create complex or recursive queries. Circular references occur when an object type refers back to itself directly or indirectly through other types. + +For example: +``` + Query CircularReferences: { + user { + friends { + user { + friends { + user { + ... + } + } + } + } + } + } +``` + +Security Impact of Alias Overloading: + +- **Denial of Service**: By sending a large query with many nested aliases, an attacker can overwhelm the server, causing it to slow down or crash. +- **Resource Exhaustion**: The server may run out of memory or CPU resources while processing the query, leading to performance degradation or service unavailability. diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json new file mode 100644 index 00000000..c8d3b525 --- /dev/null +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json @@ -0,0 +1,36 @@ +{ + "risk_rating": "medium", + "title": "GraphQL Circular References", + "short_description": "Circular references in GraphQL where a field references itself or another field that references the original field can lead to infinite loops and DoS attacks.", + "references": { + "medium@laur.telliskivi": "https://medium.com/@laur.telliskivi/circular-fragment-exploitation-in-graphql-with-burpsuite-42c490ecab98", + "imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries", + }, + "privacy_issue": false, + "security_issue": true, + "categories": { + "CWE_TOP_25": [ + "CWE_400" + ], + "PCI_STANDARDS": [ + "REQ_6_2", + "REQ_6_4", + "REQ_11_3" + ], + "OWASP_MASVS_L2": [ + "MSTG_PLATFORM_2" + ], + "OWASP_ASVS_L3": [ + "V13_4_1" + ], + "SOC2_CONTROLS": [ + "CC_2_1", + "CC_4_1", + "CC_7_1", + "CC_7_2", + "CC_7_4", + "CC_7_5", + "CC_9_1" + ] + } +} diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md new file mode 100644 index 00000000..cdda25e5 --- /dev/null +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -0,0 +1,49 @@ +### Pseudocode Plan + +1. **Depth Limiting**: +Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit. +Example: +```python +class DepthAnalysisMiddleware: + def resolve(self, next, root, info, **args): + if info.operation.selection_set: + depth = 0 + for field in info.operation.selection_set.selections: + depth = max(depth, self._get_depth(field)) + if depth > 3: + raise Exception('Query depth is too high') + return next(root, info, **args) + + def _get_depth(self, field): + if field.selection_set: + return 1 + max(self._get_depth(f) for f in field.selection_set.selections) + return 1 +``` + +2. **Circular Reference Detection**: +Redesign the schema to avoid circular references. +Example Of Circular Reference: +```python +class User(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() + friends = graphene.List(lambda: User) + + def resolve_friends(self, info): + return [User(id=1, name='Alice'), User(id=2, name='Bob')] +``` + +Example Of Redesigned Schema: +```python +class FriendProfile(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() + +class User(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() + friends = graphene.List(FriendProfile) + + def resolve_friends(self, info): + return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] +``` From 5ee83aefa7cac880eae2e1f442200ede7bfecd37 Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Fri, 13 Sep 2024 15:57:24 +0100 Subject: [PATCH 2/9] Add `GRAPHQL_CIRCULAR_REFERENCES` kb. --- .../WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index cdda25e5..51fabb8e 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -1,5 +1,4 @@ -### Pseudocode Plan - +To mitigate the risk of circular references in GraphQL, you can follow these recommendations: 1. **Depth Limiting**: Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit. Example: From a689852e27618352ca7fb09ee855d14665736b3c Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Fri, 13 Sep 2024 15:58:38 +0100 Subject: [PATCH 3/9] Add `GRAPHQL_CIRCULAR_REFERENCES` kb. --- WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json index c8d3b525..2dc11080 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json @@ -4,7 +4,7 @@ "short_description": "Circular references in GraphQL where a field references itself or another field that references the original field can lead to infinite loops and DoS attacks.", "references": { "medium@laur.telliskivi": "https://medium.com/@laur.telliskivi/circular-fragment-exploitation-in-graphql-with-burpsuite-42c490ecab98", - "imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries", + "imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries" }, "privacy_issue": false, "security_issue": true, From 2e278518feaa20616ccfd1e62063e818fd227e1c Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Fri, 13 Sep 2024 17:04:10 +0100 Subject: [PATCH 4/9] Fix comments --- .../description.md | 6 +- .../recommendation.md | 77 ++++++++++--------- 2 files changed, 43 insertions(+), 40 deletions(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md index 47eef4e7..0ad77f4c 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md @@ -1,14 +1,14 @@ GraphQL allows clients to request specific data, and its flexibility can be exploited to create complex or recursive queries. Circular references occur when an object type refers back to itself directly or indirectly through other types. For example: -``` - Query CircularReferences: { +```graphql + query CircularReferences { user { friends { user { friends { user { - ... + __typename } } } diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index 51fabb8e..615e6efd 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -2,47 +2,50 @@ To mitigate the risk of circular references in GraphQL, you can follow these rec 1. **Depth Limiting**: Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit. Example: -```python -class DepthAnalysisMiddleware: - def resolve(self, next, root, info, **args): - if info.operation.selection_set: - depth = 0 - for field in info.operation.selection_set.selections: - depth = max(depth, self._get_depth(field)) - if depth > 3: - raise Exception('Query depth is too high') - return next(root, info, **args) - - def _get_depth(self, field): - if field.selection_set: - return 1 + max(self._get_depth(f) for f in field.selection_set.selections) - return 1 -``` +=== "Python" + ```python + class DepthAnalysisMiddleware: + def resolve(self, next, root, info, **args): + if info.operation.selection_set: + depth = 0 + for field in info.operation.selection_set.selections: + depth = max(depth, self._get_depth(field)) + if depth > 3: + raise Exception('Query depth is too high') + return next(root, info, **args) + + def _get_depth(self, field): + if field.selection_set: + return 1 + max(self._get_depth(f) for f in field.selection_set.selections) + return 1 + ``` 2. **Circular Reference Detection**: Redesign the schema to avoid circular references. Example Of Circular Reference: -```python -class User(graphene.ObjectType): - id = graphene.ID() - name = graphene.String() - friends = graphene.List(lambda: User) - - def resolve_friends(self, info): - return [User(id=1, name='Alice'), User(id=2, name='Bob')] -``` +=== "Python" + ```python + class User(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() + friends = graphene.List(lambda: User) + + def resolve_friends(self, info): + return [User(id=1, name='Alice'), User(id=2, name='Bob')] + ``` Example Of Redesigned Schema: -```python -class FriendProfile(graphene.ObjectType): - id = graphene.ID() - name = graphene.String() - -class User(graphene.ObjectType): - id = graphene.ID() - name = graphene.String() - friends = graphene.List(FriendProfile) +=== "Python" + ```python + class FriendProfile(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() - def resolve_friends(self, info): - return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] -``` + class User(graphene.ObjectType): + id = graphene.ID() + name = graphene.String() + friends = graphene.List(FriendProfile) + + def resolve_friends(self, info): + return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] + ``` From 74ca35fd71ffc46af23f378244d93a6303892a20 Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Thu, 19 Sep 2024 10:23:52 +0100 Subject: [PATCH 5/9] Fix comments --- .../description.md | 2 +- .../GRAPHQL_CIRCULAR_REFERENCES/meta.json | 1 - .../recommendation.md | 20 +++++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md index 0ad77f4c..40505c36 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md @@ -19,5 +19,5 @@ For example: Security Impact of Alias Overloading: -- **Denial of Service**: By sending a large query with many nested aliases, an attacker can overwhelm the server, causing it to slow down or crash. +- **Denial of Service**: By sending a large query with too many nested references, an attacker can overwhelm the server, causing it to slow down or crash. - **Resource Exhaustion**: The server may run out of memory or CPU resources while processing the query, leading to performance degradation or service unavailability. diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json index 2dc11080..c01a02cb 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/meta.json @@ -3,7 +3,6 @@ "title": "GraphQL Circular References", "short_description": "Circular references in GraphQL where a field references itself or another field that references the original field can lead to infinite loops and DoS attacks.", "references": { - "medium@laur.telliskivi": "https://medium.com/@laur.telliskivi/circular-fragment-exploitation-in-graphql-with-burpsuite-42c490ecab98", "imperva": "https://www.imperva.com/blog/graphql-vulnerabilities-common-attacks/#circular-queries" }, "privacy_issue": false, diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index 615e6efd..eb8889e6 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -49,3 +49,23 @@ Example Of Redesigned Schema: def resolve_friends(self, info): return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] ``` + +=== "Javascript" + ```javascript + const FriendProfile = new GraphQLObjectType({ + name: 'FriendProfile', + fields: { + id: { type: GraphQLID }, + name: { type: GraphQLString } + } + }); + + const User = new GraphQLObjectType({ + name: 'User', + fields: { + id: { type: GraphQLID }, + name: { type: GraphQLString }, + friends: { type: new GraphQLList(FriendProfile) } + } + }); + ``` \ No newline at end of file From 18eb1f65e79b08c19a750e03bfa3339fce3bc0ea Mon Sep 17 00:00:00 2001 From: mouhcine narhmouche Date: Thu, 19 Sep 2024 14:15:57 +0100 Subject: [PATCH 6/9] Update WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md Co-authored-by: Muffins <121631800+rabsondev@users.noreply.github.com> --- .../WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index eb8889e6..7daeabd1 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -34,7 +34,7 @@ Example Of Circular Reference: return [User(id=1, name='Alice'), User(id=2, name='Bob')] ``` -Example Of Redesigned Schema: +Example of redesigned Schema: === "Python" ```python class FriendProfile(graphene.ObjectType): From 8d23282df98ad2fd92c9663a594fced117c57c88 Mon Sep 17 00:00:00 2001 From: mouhcine narhmouche Date: Thu, 19 Sep 2024 14:16:05 +0100 Subject: [PATCH 7/9] Update WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md Co-authored-by: Muffins <121631800+rabsondev@users.noreply.github.com> --- .../WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index 7daeabd1..df44e45e 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -22,7 +22,7 @@ Example: 2. **Circular Reference Detection**: Redesign the schema to avoid circular references. -Example Of Circular Reference: +Example of Circular Reference: === "Python" ```python class User(graphene.ObjectType): From e8a4784ed428c9c3d67626e8fb6c82c775f03974 Mon Sep 17 00:00:00 2001 From: mouhcine narhmouche Date: Thu, 19 Sep 2024 14:16:13 +0100 Subject: [PATCH 8/9] Update WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md Co-authored-by: Muffins <121631800+rabsondev@users.noreply.github.com> --- .../WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index df44e45e..c238164d 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -50,7 +50,7 @@ Example of redesigned Schema: return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] ``` -=== "Javascript" +=== "JavaScript" ```javascript const FriendProfile = new GraphQLObjectType({ name: 'FriendProfile', From 62928fe007a73a4d45b73e25632bc8d675a4bce1 Mon Sep 17 00:00:00 2001 From: mohsinenar Date: Thu, 19 Sep 2024 14:27:21 +0100 Subject: [PATCH 9/9] Fix comments --- .../description.md | 2 +- .../recommendation.md | 56 ++++++++++--------- 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md index 40505c36..79f34803 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/description.md @@ -17,7 +17,7 @@ For example: } ``` -Security Impact of Alias Overloading: +Security Impact of Circular References in GraphQL: - **Denial of Service**: By sending a large query with too many nested references, an attacker can overwhelm the server, causing it to slow down or crash. - **Resource Exhaustion**: The server may run out of memory or CPU resources while processing the query, leading to performance degradation or service unavailability. diff --git a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md index c238164d..97721581 100644 --- a/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md +++ b/WEB_SERVICE/WEB/_MEDIUM/GRAPHQL_CIRCULAR_REFERENCES/recommendation.md @@ -2,8 +2,8 @@ To mitigate the risk of circular references in GraphQL, you can follow these rec 1. **Depth Limiting**: Implement a middleware to check the depth of the query, and raise an error if it exceeds the limit. Example: -=== "Python" - ```python +=== "python" + ```python class DepthAnalysisMiddleware: def resolve(self, next, root, info, **args): if info.operation.selection_set: @@ -18,13 +18,14 @@ Example: if field.selection_set: return 1 + max(self._get_depth(f) for f in field.selection_set.selections) return 1 - ``` + ``` + 2. **Circular Reference Detection**: Redesign the schema to avoid circular references. Example of Circular Reference: -=== "Python" - ```python +=== "python" + ```python class User(graphene.ObjectType): id = graphene.ID() name = graphene.String() @@ -32,11 +33,11 @@ Example of Circular Reference: def resolve_friends(self, info): return [User(id=1, name='Alice'), User(id=2, name='Bob')] - ``` + ``` Example of redesigned Schema: -=== "Python" - ```python +=== "python" + ```python class FriendProfile(graphene.ObjectType): id = graphene.ID() name = graphene.String() @@ -48,24 +49,25 @@ Example of redesigned Schema: def resolve_friends(self, info): return [FriendProfile(id=1, name='Alice'), FriendProfile(id=2, name='Bob')] - ``` + ``` + === "JavaScript" - ```javascript - const FriendProfile = new GraphQLObjectType({ - name: 'FriendProfile', - fields: { - id: { type: GraphQLID }, - name: { type: GraphQLString } - } - }); - - const User = new GraphQLObjectType({ - name: 'User', - fields: { - id: { type: GraphQLID }, - name: { type: GraphQLString }, - friends: { type: new GraphQLList(FriendProfile) } - } - }); - ``` \ No newline at end of file + ```javascript + const FriendProfile = new GraphQLObjectType({ + name: 'FriendProfile', + fields: { + id: { type: GraphQLID }, + name: { type: GraphQLString } + } + }); + + const User = new GraphQLObjectType({ + name: 'User', + fields: { + id: { type: GraphQLID }, + name: { type: GraphQLString }, + friends: { type: new GraphQLList(FriendProfile) } + } + }); + ``` \ No newline at end of file