Skip to main content

Width limit

Description

GraphQL defines the maximum width of a query as the maximum number of subfields queried from one field.

If no limit is set on query width, clients may therefore craft a complex query that could lead to potential DoS attacks or information leakage.

Remediation

Set a threshold on the maximum number of subfields that can be queried simultaneously.

GraphQL Specific

Apollo

To address issues with the Apollo framework engine, ensure that you are using the latest stable version of the framework. Update your dependencies and check for any deprecated features that may need to be replaced. Additionally, review the Apollo documentation for best practices on schema design, query optimization, and error handling to improve the performance and reliability of your GraphQL API.

Yoga

To address issues within the Yoga framework engine, ensure that all components adhere to the specified width limits. This can be achieved by setting appropriate constraints within your CSS or inline styles. For instance, use 'max-width' property to prevent elements from stretching beyond the desired width. Additionally, consider utilizing responsive design techniques to maintain layout integrity across different screen sizes. Regularly test your application on various devices to confirm that width restrictions are properly enforced.

Awsappsync

To address the width limit in AWS AppSync, ensure that your schema design is optimized for the queries you intend to run. Break down large queries into smaller, more manageable ones and consider implementing pagination to handle large datasets. Additionally, leverage AWS AppSync's built-in caching mechanisms to improve performance and reduce the data retrieval load. Monitor and adjust the response size limits as per your application's requirements.

Graphqlgo

To mitigate potential security risks in the GraphQL Go framework engine, ensure that you implement a width limit for your queries. This can be achieved by setting a maximum depth for each query to prevent excessively nested queries that could lead to performance issues or denial of service attacks. Use middleware or a query complexity analysis tool to enforce these limits and protect your GraphQL service.

Graphqlruby

In the GraphQL Ruby framework, ensure that you define a width limit for your queries to prevent overly complex queries that can lead to performance issues. Implement query complexity analysis to assign costs to different fields and types, and set a maximum query cost that can be executed. This can be done using the max_complexity method in your schema definition. Additionally, consider using the throttle gem to rate-limit queries based on their complexity and the time frame in which they are executed.

Hasura

To address potential performance issues with the Hasura framework engine, ensure that you are using appropriate field-level permissions to limit the width of the data being fetched. This can be done by setting strict permissions on the GraphQL types and fields in your Hasura schema. Additionally, consider implementing query depth limiting and cost analysis to prevent overly complex queries from overloading the system. By managing the data returned through permissions and query analysis, you can optimize the performance and security of your Hasura engine.

Configuration

Identifier: resource_limitation/graphql_width_limit

Options

  • threshold : Maximum width before raising an alert (-1 = infinite).

Examples

Ignore this check

checks:
  resource_limitation/graphql_width_limit:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API4:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-94

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: SC-5

Classification

  • CWE: 770

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References