trailofbits.javascript.apollo-graphql.use-of-graphql-upload.use-of-graphql-upload

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

The Apollo GraphQL server is using the graphql-upload library. This library allows file uploads using POSTs with content-type: multipart/form-data, which can enable to CSRF attacks. Ensure that you are enabling CSRF protection if you really need to use graphql-upload .

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-of-graphql-upload
    languages:
      - js
      - ts
    message: "The Apollo GraphQL server is using the graphql-upload library. This
      library allows file uploads using POSTs with content-type:
      multipart/form-data, which can enable to CSRF attacks. Ensure that you are
      enabling CSRF protection if you really need to use graphql-upload ."
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
      subcategory:
        - vuln
      confidence: LOW
      likelihood: MEDIUM
      impact: MEDIUM
      technology:
        - graphql
        - apollo-graphql-server
      description: Use of the graphql-upload library
      references:
        - https://github.com/apollographql/apollo-server/security/advisories/GHSA-2p3c-p3qw-69r4
      license: AGPL-3.0 license
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    patterns:
      - pattern: app.use(graphqlUploadExpress());

Examples

use-of-graphql-upload.js

//ruleid: use-of-graphql-upload
app.use(graphqlUploadExpress());