Skip to content

Object Limit Overriding in GraphQL

Object Limit Overriding in GraphQL

Description

Object Limit Overriding in GraphQL refers to a vulnerability where an attacker can manipulate query arguments to exceed the intended limits of an API. This often involves passing extremely large values to pagination or limit parameters, potentially leading to denial-of-service (DoS) attacks or excessive resource consumption.

Potential Risks:

Denial of Service (DoS): By requesting an excessive number of objects, attackers can overwhelm the server, causing performance degradation or outages.

Resource Exhaustion: Queries requesting a vast number of objects can overload the server's memory and processing capabilities.

Data Exposure: In some cases, bypassing limits could lead to unauthorized access to large amounts of data.

Increased Costs: For cloud-based services, processing queries with extremely large limits may result in unexpected costs due to high resource usage.

Vulnerable Query Example:

query {
  users(first: 1000000) {
    id
    name
    email
  }
}

Recommendation

To mitigate the risk of object limit overriding in GraphQL, implement the following measures:

Query Complexity Analysis: Use tools or libraries to analyze and limit the complexity of incoming queries. Libraries like graphql-query-complexity can help.

Rate Limiting: Implement rate limiting to restrict the number of queries that can be sent by a single user or IP address within a certain timeframe.

Pagination and Limits: Apply limits to the amount of data returned in a single query. Ensure that pagination is used to control the volume of data.

Example Implementation:

const { ApolloServer, gql } = require('apollo-server');
const { getComplexity, simpleEstimator, fieldExtensionsEstimator } = require('graphql-query-complexity');
const { GraphQLObjectType, GraphQLInt, GraphQLString, GraphQLSchema } = require('graphql');

// Define your GraphQL schema
const typeDefs = gql`
  type Query {
    hello: String
    user(id: ID!): User
  }

  type User {
    id: ID!
    name: String
    age: Int
  }
`;

// Define your resolvers
const resolvers = {
  Query: {
    hello: () => 'Hello world!',
    user: (_, { id }) => ({
      id,
      name: 'John Doe',
      age: 30,
    }),
  },
};

// Create an Apollo Server instance with query complexity analysis
const server = new ApolloServer({
  typeDefs,
  resolvers,
  plugins: [
    {
      // This plugin computes the complexity of incoming queries
      requestDidStart: () => ({
        didResolveOperation({ request, document }) {
          const complexity = getComplexity({
            schema: server.schema,
            query: document,
            variables: request.variables,
            estimators: [
              fieldExtensionsEstimator(),
              simpleEstimator({ defaultComplexity: 1 }),
            ],
          });

          // Define a maximum complexity limit
          const maxComplexity = 100;

          // Check if the query complexity exceeds the maximum allowed
          if (complexity > maxComplexity) {
            throw new Error(`Query is too complex: ${complexity}. Maximum allowed complexity: ${maxComplexity}`);
          }
        },
      }),
    },
  ],
});

// Start the server
server.listen().then(({ url }) => {
  console.log(`🚀 Server ready at ${url}`);
});

from graphql import parse, execute, validate, GraphQLError
from graphql.language.visitor import visit, Visitor

class ComplexityVisitor(Visitor):
    def __init__(self):
        self.complexity = 0
        self.max_complexity = 100

    def enter_field(self, node, key, parent, path, ancestors):
        complexity = 1  # Base complexity for each field
        self.complexity += complexity
        if self.complexity > self.max_complexity:
            raise GraphQLError(f"Query complexity exceeds maximum allowed complexity of {self.max_complexity}")

def complexity_middleware(schema, query):
    document = parse(query)
    visitor = ComplexityVisitor()
    visit(document, visitor)
    return visitor.complexity

def execute_with_complexity_check(schema, query, variables=None):
    complexity = complexity_middleware(schema, query)
    if complexity > 100:
        raise GraphQLError(f"Query complexity exceeds maximum allowed complexity of 100")
    result = execute(schema, parse(query), variable_values=variables)
    return result

By using these recommendations and configurations, you can better protect your GraphQL APIs from the risks associated with object limit overriding.

Standards

  • CWE_TOP_25:
    • CWE_20
    • CWE_400
  • PCI_STANDARDS:
    • REQ_6_1
    • REQ_6_2
    • REQ_6_4
    • REQ_11_3
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
  • OWASP_ASVS_L3:
    • V13_4_1
  • SOC2_CONTROLS:
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5
    • CC_9_1