Unchecked GraphQL Query Length: Potential Denial of Service Vulnerability
Description
The GraphQL server does not enforce limits on the size of incoming query strings, allowing arbitrarily large queries to be processed. Testing confirmed that queries exceeding 20,000 characters are accepted and executed without restriction. Without query size validation, the server is vulnerable to resource exhaustion attacks where malicious actors can submit oversized queries to degrade performance or cause service disruptions.
Implementing query length restrictions is a fundamental security control that prevents abuse and protects server resources from being overwhelmed by excessively large requests.
Remediation
Implement query size validation to reject requests that exceed reasonable length limits. This should be enforced as early as possible in the request processing pipeline, before the query reaches the GraphQL parser or execution engine.
Step 1: Determine an appropriate maximum query length based on your application's legitimate use cases. A limit between 2,000 and 10,000 characters is typical for most applications.
Step 2: Add middleware to validate the query length before processing. Here is an example implementation for Express.js:
app.use('/graphql', (req, res, next) => {
const query = req.query.query || req.body.query || '';
const maxQueryLength = 8192; // 8KB limit
if (query.length > maxQueryLength) {
return res.status(413).json({
error: 'Query exceeds maximum allowed length',
maxLength: maxQueryLength
});
}
next();
});Step 3: Consider implementing additional protections such as query complexity analysis and depth limiting to provide defense-in-depth against resource exhaustion attacks.Step 4: Monitor rejected queries and adjust the length limit as needed based on legitimate application requirements.