trailofbits.javascript.apollo-graphql.schema-directives.schema-directives

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: schema-directives
    message: The Apollo GraphQL uses the 'schemaDirectives' option. This works in
      ApolloServer v2, but does nothing in version >=3. Depending on what the
      directives are used for, this can expose authenticated endpoints, disable
      rate limiting, and more. See the references on how to create custom
      directives in v3 and v4.
    languages:
      - js
      - ts
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-686: Function Call With Incorrect Argument Type"
      subcategory:
        - vuln
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      technology:
        - graphql
        - apollo-graphql-server
      description: Use of outdated ApolloServer option 'schemaDirectives'
      references:
        - https://www.apollographql.com/docs/apollo-server/schema/directives/#custom-directives
      license: AGPL-3.0 license
      vulnerability_class:
        - Other
    pattern-either:
      - pattern: |
          new ApolloServer({..., schemaDirectives: ..., ...})

Examples

schema-directives.js

// BAD: Has 'schemaDirectives'
//ruleid: schema-directives
const apollo_server_1 = new ApolloServer({
    typeDefs,
    resolvers,
    schemaDirectives: {
        rateLimit: rateLimitDirective
    },
});

// Good: Does not have 'schemaDirectives'
//ok: schema-directives
const apollo_server_3 = new ApolloServer({
    typeDefs,
    resolvers,
});