Headline
GHSA-733v-p3h5-qpq7: GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation
Summary
A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.
Details
At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:
if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') {
return 0;
}
However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode
So, for example, sending the following query
query hello {
books {
title
}
}
would create an OperationDefinitionNode with node.name.value == 'hello'
The proper way to handle this would be to check for the __schema field, which would create a FieldNode.
The fix is
if (
this.config.ignoreIntrospection &&
'name' in node &&
node.name?.value === '__schema' &&
node.kind === Kind.FIELD
) {
return 0;
}
to assert that the node must be a FieldNode
PoC
query {
...__schema
}
fragment __schema on Query {
books {
title
author
}
}
query __schema {
books {
title
author
}
}
Impact
Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.
Fix:
Fixed on 772. A quick patch would be to set ignoreIntrospection to false.
Summary
A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.
Details
At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:
if (this.config.ignoreIntrospection && 'name' in node && node.name?.value \=== '\_\_schema') {
return 0;
}
However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode
So, for example, sending the following query
query hello { books { title } }
would create an OperationDefinitionNode with node.name.value == ‘hello’
The proper way to handle this would be to check for the __schema field, which would create a FieldNode.
The fix is
if (
this.config.ignoreIntrospection &&
'name' in node &&
node.name?.value \=== '\_\_schema' &&
node.kind \=== Kind.FIELD
) {
return 0;
}
to assert that the node must be a FieldNode
PoC
query { …__schema }
fragment __schema on Query { books { title author } }
query __schema { books { title author } }
Impact
Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.
Fix:
Fixed on 772. A quick patch would be to set ignoreIntrospection to false.
References
- GHSA-733v-p3h5-qpq7
- Escape-Technologies/graphql-armor#772
- Escape-Technologies/graphql-armor@5a32954