trailofbits.javascript.apollo-graphql.v4-csrf-prevention.v4-csrf-prevention

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

The Apollo GraphQL server sets the 'csrfPrevention' option to false. This can enable CSRF attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: v4-csrf-prevention
    languages:
      - js
      - ts
    message: The Apollo GraphQL server sets the 'csrfPrevention' option to false.
      This can enable CSRF attacks.
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
      subcategory:
        - vuln
      confidence: HIGH
      likelihood: MEDIUM
      impact: MEDIUM
      technology:
        - graphql
        - apollo-graphql-server
        - apollo-graphql-server-v4
      description: CSRF protection disabled
      references:
        - https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf
      fix-regex:
        regex: csrfPrevention:\s*false
        replacement: "csrfPrevention: true"
      license: AGPL-3.0 license
      vulnerability_class:
        - Cross-Site Request Forgery (CSRF)
    patterns:
      - pattern: |
          new ApolloServer({..., csrfPrevention: false, ...})

Examples

v4-csrf-prevention.ts

// OK: Lacks 'csrfPrevention: true', but on v4 this option is true by default
//ok: v4-csrf-prevention
const apollo_server_1 = new ApolloServer({
    typeDefs,
    resolvers,
});

// Good: Has 'csrfPrevention: true'
//ok: v4-csrf-prevention
const apollo_server_3 = new ApolloServer({
    typeDefs,
    resolvers,
    csrfPrevention: true,
});

// BAD: Has 'csrfPrevention: false'
//ruleid: v4-csrf-prevention
const apollo_server_2 = new ApolloServer({
    typeDefs,
    resolvers,
    csrfPrevention: false,
});

Short Link: https://sg.run/Eb1P