ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6785/python/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

118 lines
4.4 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

GraphQL servers are vulnerable to Denial of Service attacks when they fail to
limit the depth of queries. In such a case, an attacker is able to craft complex,
deeply nested queries to make the application unwillingly consume an important
amount of resources.
== Why is this an issue?
When a server receives a deeply nested query, it attempts to resolve all the
requested data. This process can consume a substantial amount of computational
resources, leading to a slowdown in server response times.
=== What is the potential impact?
A server that faces a resource exhaustion situation can become unstable.
The exact impact will depend on how the affected application is deployed and
how well the hosting server configuration is hardened.
In the worst case, when the application is deployed in an uncontained
environment, directly on its host system, the memory exhaustion will affect
the whole hosting server. The servers operating system might start killing
arbitrary memory-intensive processes, including the main application or other
sensitive ones. This will result in a general operating failure, also known
as a Denial of Service (DoS).
In cases where the application is deployed in a virtualized or otherwise
contained environment, or where resource usage limits are in place, the
consequences are limited to the vulnerable application only. In that case,
other processes and applications hosted on the same server may keep on
running without perturbation. The vulnerable application will still
stop working properly.
In general, that kind of DoS attack can have severe financial consequences.
They are particularly important when the affected systems are business-critical.
== How to fix it
=== Code examples
==== Noncompliant code example
[source,python,diff-id=1,diff-type=noncompliant]
----
from graphql_server.flask import GraphQLView
app.add_url_rule("/api",
view_func=GraphQLView.as_view( # Noncompliant
name="api",
schema=schema,
)
)
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
from graphql_server.flask import GraphQLView
from graphene.validation import depth_limit_validator
app.add_url_rule("/api",
view_func=GraphQLView.as_view(
name="api",
schema=schema,
validation_rules=[
depth_limit_validator(10) # Choose a value that fits your application's requirements
]
)
)
----
=== How does this work?
==== Avoid circular references
A prerequisite for deeply nested query to be executed is the presence of
circular references in the database schema. Avoid or minimize
circular references when designing the application's database schema.
==== Set limits
Limit the depth of the queries your server will accept. By setting a maximum
depth, you can ensure that excessively nested queries are rejected. Remember,
the values for maximum depth and complexity should be set according to your
application's specific needs. Setting these limits too low could restrict
legitimate queries, while setting them too high could leave your server
vulnerable to attacks.
The easiest way to set such a limit is to use the query validation API available from Graphene 3. Applications running Graphene 2 should consider upgrading to Graphene 3 to benefit from this API.
== Resources
=== Standards
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[Top 10 2021 Category A5 - Security Misconfiguration]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/770[CWE-707 - Allocation of Resources Without Limits or Throttling]
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222667[Application Security and Development: V-222667] - Protections against DoS attacks must be implemented.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
- Change this code to limit the depth of GraphQL queries
- This relationship creates circular references
=== Highlighting
- Highlight the call to ``++GraphQLView.as_view++`` (primary location)
- Highlight all calls to ``++sqlalchemy.orm.relationship++`` that create circular references (secondary location)
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink