trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: v3-csrf-prevention
    languages:
      - js
      - ts
    message: The Apollo GraphQL server lacks the 'csrfPrevention' option. This
      option is 'false' by the default in v3 of the Apollo GraphQL v3, which can
      enable CSRF attacks.
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
      subcategory:
        - vuln
      confidence: HIGH
      likelihood: MEDIUM
      impact: MEDIUM
      technology:
        - graphql
        - apollo-graphql-server
        - apollo-graphql-server-v3
      description: Lack of CSRF prevention
      references:
        - https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf
      license: AGPL-3.0 license
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    patterns:
      - pattern: new ApolloServer({...})
      - pattern-not: |
          new ApolloServer({..., csrfPrevention: true, ...})

Examples

v3-csrf-prevention.ts

// BAD 1: Lacks 'csrfPrevention: true'
//ruleid: v3-csrf-prevention
const apollo_server_1 = new ApolloServer({
    typeDefs,
    resolvers,
});

// BAD 2: Has 'csrfPrevention: false'
//ruleid: v3-csrf-prevention
const apollo_server_2 = new ApolloServer({
    typeDefs,
    resolvers,
    csrfPrevention: false,
});

// Good: Has 'csrfPrevention: true'
//ok: v3-csrf-prevention
const apollo_server_3 = new ApolloServer({
    typeDefs,
    resolvers,
    csrfPrevention: true,
});