trailofbits.javascript.apollo-graphql.v3-csrf-prevention.v3-csrf-prevention
trailofbits
Author
unknown
Download Count*
License
The Apollo GraphQL server lacks the 'csrfPrevention' option. This option is 'false' by the default in v3 of the Apollo GraphQL v3, which can enable CSRF attacks.
Run Locally
Run in CI
Defintion
rules:
- id: v3-csrf-prevention
languages:
- js
- ts
message: The Apollo GraphQL server lacks the 'csrfPrevention' option. This
option is 'false' by the default in v3 of the Apollo GraphQL v3, which can
enable CSRF attacks.
severity: ERROR
metadata:
category: security
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
subcategory:
- vuln
confidence: HIGH
likelihood: MEDIUM
impact: MEDIUM
technology:
- graphql
- apollo-graphql-server
- apollo-graphql-server-v3
description: Lack of CSRF prevention
references:
- https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf
license: AGPL-3.0 license
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
patterns:
- pattern: new ApolloServer({...})
- pattern-not: |
new ApolloServer({..., csrfPrevention: true, ...})
Examples
v3-csrf-prevention.ts
// BAD 1: Lacks 'csrfPrevention: true'
//ruleid: v3-csrf-prevention
const apollo_server_1 = new ApolloServer({
typeDefs,
resolvers,
});
// BAD 2: Has 'csrfPrevention: false'
//ruleid: v3-csrf-prevention
const apollo_server_2 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: false,
});
// Good: Has 'csrfPrevention: true'
//ok: v3-csrf-prevention
const apollo_server_3 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true,
});
Short Link: https://sg.run/nEGg