trailofbits.javascript.apollo-graphql.v4-csrf-prevention.v4-csrf-prevention
trailofbits
Author
unknown
Download Count*
License
The Apollo GraphQL server sets the 'csrfPrevention' option to false. This can enable CSRF attacks.
Run Locally
Run in CI
Defintion
rules:
- id: v4-csrf-prevention
languages:
- js
- ts
message: The Apollo GraphQL server sets the 'csrfPrevention' option to false.
This can enable CSRF attacks.
severity: ERROR
metadata:
category: security
cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
subcategory:
- vuln
confidence: HIGH
likelihood: MEDIUM
impact: MEDIUM
technology:
- graphql
- apollo-graphql-server
- apollo-graphql-server-v4
description: CSRF protection disabled
references:
- https://www.apollographql.com/docs/apollo-server/v3/security/cors/#preventing-cross-site-request-forgery-csrf
fix-regex:
regex: csrfPrevention:\s*false
replacement: "csrfPrevention: true"
license: AGPL-3.0 license
vulnerability_class:
- Cross-Site Request Forgery (CSRF)
patterns:
- pattern: |
new ApolloServer({..., csrfPrevention: false, ...})
Examples
v4-csrf-prevention.ts
// OK: Lacks 'csrfPrevention: true', but on v4 this option is true by default
//ok: v4-csrf-prevention
const apollo_server_1 = new ApolloServer({
typeDefs,
resolvers,
});
// Good: Has 'csrfPrevention: true'
//ok: v4-csrf-prevention
const apollo_server_3 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: true,
});
// BAD: Has 'csrfPrevention: false'
//ruleid: v4-csrf-prevention
const apollo_server_2 = new ApolloServer({
typeDefs,
resolvers,
csrfPrevention: false,
});
Short Link: https://sg.run/Eb1P