trailofbits.javascript.apollo-graphql.schema-directives.schema-directives
trailofbits
Author
unknown
Download Count*
License
The Apollo GraphQL uses the 'schemaDirectives' option. This works in ApolloServer v2, but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more. See the references on how to create custom directives in v3 and v4.
Run Locally
Run in CI
Defintion
rules:
- id: schema-directives
message: The Apollo GraphQL uses the 'schemaDirectives' option. This works in
ApolloServer v2, but does nothing in version >=3. Depending on what the
directives are used for, this can expose authenticated endpoints, disable
rate limiting, and more. See the references on how to create custom
directives in v3 and v4.
languages:
- js
- ts
severity: ERROR
metadata:
category: security
cwe: "CWE-686: Function Call With Incorrect Argument Type"
subcategory:
- vuln
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
technology:
- graphql
- apollo-graphql-server
description: Use of outdated ApolloServer option 'schemaDirectives'
references:
- https://www.apollographql.com/docs/apollo-server/schema/directives/#custom-directives
license: AGPL-3.0 license
vulnerability_class:
- Other
pattern-either:
- pattern: |
new ApolloServer({..., schemaDirectives: ..., ...})
Examples
schema-directives.js
// BAD: Has 'schemaDirectives'
//ruleid: schema-directives
const apollo_server_1 = new ApolloServer({
typeDefs,
resolvers,
schemaDirectives: {
rateLimit: rateLimitDirective
},
});
// Good: Does not have 'schemaDirectives'
//ok: schema-directives
const apollo_server_3 = new ApolloServer({
typeDefs,
resolvers,
});
Short Link: https://sg.run/wE2N