From 113572535de6420b90f51641cf61f33dc2717726 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 21 Nov 2023 14:52:33 +0100 Subject: [PATCH] Create rule S6785: GraphQL queries should not be vulnerable to Denial of Service attacks (#3157) --- rules/S6785/metadata.json | 2 + rules/S6785/python/metadata.json | 44 ++++++++++++ rules/S6785/python/rule.adoc | 113 +++++++++++++++++++++++++++++++ 3 files changed, 159 insertions(+) create mode 100644 rules/S6785/metadata.json create mode 100644 rules/S6785/python/metadata.json create mode 100644 rules/S6785/python/rule.adoc diff --git a/rules/S6785/metadata.json b/rules/S6785/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6785/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6785/python/metadata.json b/rules/S6785/python/metadata.json new file mode 100644 index 00000000000..02143f7a475 --- /dev/null +++ b/rules/S6785/python/metadata.json @@ -0,0 +1,44 @@ +{ + "title": "GraphQL queries should not be vulnerable to Denial of Service attacks", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant/Issue", + "constantCost": "1d" + }, + "tags": [ + ], + "securityStandards": { + "CWE": [ + 770 + ], + "OWASP": [ + "A4", + "A6" + ], + "OWASP Top 10 2021": [ + "A5" + ], + "PCI DSS 3.2": [ + "6.5" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "13.4.1" + ] + }, + "defaultSeverity": "Critical", + "ruleSpecification": "RSPEC-6785", + "sqKey": "S6785", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "COMPLETE" + } +} diff --git a/rules/S6785/python/rule.adoc b/rules/S6785/python/rule.adoc new file mode 100644 index 00000000000..d058f3769f8 --- /dev/null +++ b/rules/S6785/python/rule.adoc @@ -0,0 +1,113 @@ +GraphQL servers are vulnerable to Denial of Service attacks when they fail to +limit the depth of queries. In such a case, an attacker is able to craft complex, +deeply nested queries to make the application unwillingly consume an important +amount of resources. + +== Why is this an issue? + +When a server receives a deeply nested query, it attempts to resolve all the +requested data. This process can consume a substantial amount of computational +resources, leading to a slowdown in server response times. + +=== What is the potential impact? + +A server that faces a resource exhaustion situation can become unstable. +The exact impact will depend on how the affected application is deployed and +how well the hosting server configuration is hardened. + +In the worst case, when the application is deployed in an uncontained +environment, directly on its host system, the memory exhaustion will affect +the whole hosting server. The server’s operating system might start killing +arbitrary memory-intensive processes, including the main application or other +sensitive ones. This will result in a general operating failure, also known +as a Denial of Service (DoS). + +In cases where the application is deployed in a virtualized or otherwise +contained environment, or where resource usage limits are in place, the +consequences are limited to the vulnerable application only. In that case, +other processes and applications hosted on the same server may keep on +running without perturbation. The vulnerable application will still +stop working properly. + +In general, that kind of DoS attack can have severe financial consequences. +They are particularly important when the affected systems are business-critical. + +== How to fix it + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +from graphql_server.flask import GraphQLView + +app.add_url_rule("/api", + view_func=GraphQLView.as_view( # Noncompliant + name="api", + schema=schema, + ) +) +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +from graphql_server.flask import GraphQLView +from graphene.validation import depth_limit_validator + +app.add_url_rule("/api", + view_func=GraphQLView.as_view( + name="api", + schema=schema, + validation_rules=[ + depth_limit_validator(10) # Choose a value that fits your application's requirements + ] + ) +) +---- + +=== How does this work? + +==== Avoid circular references + +A prerequisite for deeply nested query to be executed is the presence of +circular references in the database schema. Avoid or minimize +circular references when designing the application's database schema. + +==== Set limits + +Limit the depth of the queries your server will accept. By setting a maximum +depth, you can ensure that excessively nested queries are rejected. Remember, +the values for maximum depth and complexity should be set according to your +application's specific needs. Setting these limits too low could restrict +legitimate queries, while setting them too high could leave your server +vulnerable to attacks. + +== Resources + +=== Standards + +* OWASP Top 10 - https://owasp.org/Top10/A04_2021-Insecure_Design/[A4:2021 – Insecure Design] +* OWASP Top 10 - https://www.owasp.org/index.php/Top_10-2017_A1-Injection[A6:2017 - Security Misconfiguration] +* MITRE - https://cwe.mitre.org/data/definitions/770.html[CWE-707: Allocation of Resources Without Limits or Throttling] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +- Change this code to limit the depth of GraphQL queries +- This relationship creates circular references + +=== Highlighting + +- Highlight the call to ``++GraphQLView.as_view++`` (primary location) +- Highlight all calls to ``++sqlalchemy.orm.relationship++`` that create circular references (secondary location) + +''' +endif::env-github,rspecator-view[]