Skip to main content

GraphQL IDE

Description

A GraphQL IDE provides an interface for users to interact with the Endpoint, but an IDE can also leave room for potential vulnerabilities.

Remediation

Disable GraphQL IDE, or restrict it. Head over to your specific engine documentation to know how to do it.

GraphQL Specific

Apollo

Ensure that the Apollo Server is configured with appropriate security settings, such as depth limiting and complexity analysis, to prevent malicious queries from overloading the server. Regularly update the Apollo framework to incorporate the latest security patches and features.

Yoga

To mitigate potential security risks in the Yoga framework engine when using GraphQL IDE, ensure that all queries are validated against a schema that defines allowed operations. Implement proper authentication and authorization checks to control access to sensitive data. Regularly update the Yoga framework to incorporate the latest security patches and features.

Awsappsync

To mitigate the risk of injection attacks in AWS AppSync, ensure that all GraphQL queries are parameterized. Avoid using string interpolation or concatenation to insert variables directly into queries. Instead, use GraphQL's built-in support for variables. This approach allows the AppSync framework to safely parse and validate the input before executing the query, reducing the attack surface for malicious actors.

Graphqlgo

To mitigate the risk of injection attacks in a GraphQL Go framework engine, ensure that all user-supplied inputs are properly validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive information through error messages. Regularly review and update dependencies to patch any known vulnerabilities in the framework or associated libraries.

Graphqlruby

To mitigate potential vulnerabilities in the GraphQL Ruby framework, ensure that all queries are properly sanitized and use parameterized queries to prevent injection attacks. Additionally, implement strict type checking and input validation to avoid malicious data from being processed. Regularly update the framework to the latest version to benefit from security patches and improvements.

Hasura

To mitigate the risk of injection attacks in Hasura, ensure that all GraphQL queries are constructed using parameterized statements. This approach prevents attackers from manipulating the query by injecting malicious code. Additionally, apply strict access controls and validate all inputs to further enhance the security of your Hasura GraphQL engine.

Configuration

Identifier: configuration/ide_enabled

Examples

Ignore this check

checks:
  configuration/ide_enabled:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-6

Classification

  • CWE: 200

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • CVSS_SCORE: 4.8