├── .gitignore ├── README.md ├── implementations ├── agoo.md ├── apollo.md ├── ariadne.md ├── dgraph.md ├── diana.md ├── directus.md ├── gql-dart.md ├── gqlgen.md ├── graphene.md ├── graphql-api-for-wp.md ├── graphql-dotnet.md ├── graphql-go.md ├── graphql-java.md ├── graphql-php.md ├── graphql-ruby.md ├── graphql-yoga.md ├── hasura.md ├── juniper.md ├── lighthouse.md ├── sangria.md ├── strawberry.md ├── tartiflette.md ├── template.md └── wp-graphql.md └── static ├── graphql-threat-matrix-v1.png └── graphql-threat-matrix.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | graphql-threat-matrix 3 |
4 |

5 | 6 |

7 | GraphQL Threat Matrix 8 |

9 | 10 | ## Why graphql-threat-matrix? 11 | [graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations. 12 | 13 | The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations. 14 | 15 |

16 | Legend
17 | ✅  - Enabled by Default
18 | ⚠️  - Disabled by Default
19 | ❌  - No Support 20 |

21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 |
ImplementationValidationsField SuggestionsQuery Depth limitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests
wp-graphql38⚠️⚠️⚠️
graphql-php37⚠️⚠️⚠️⚠️
graphql-api-for-wp37⚠️⚠️
Apollo34⚠️⚠️
graphql-yoga34⚠️⚠️⚠️⚠️
graphene34⚠️
Ariadne34⚠️⚠️⚠️
Strawberry34⚠️
graphql-dotnet29⚠️⚠️⚠️
graphql-ruby28⚠️⚠️
Sangria27⚠️⚠️⚠️
Tartiflette26
graphql-java26⚠️⚠️⚠️
gqlgen25⚠️⚠️⚠️⚠️
Dgraph25⚠️
graphql-go24⚠️
juniper24⚠️
Diana.jl10
gql-dart/gql9
Agoo1⚠️
Lighthouse1⚠️⚠️⚠️⚠️
288 | 289 | ## For Penetration Testers 290 | Use [graphw00f](https://github.com/dolevf/graphw00f) to fingerprint a target GraphQL API and determine the backend implementation. 291 | 292 | ## Want to provide a submission (or correction)? 293 | Interested in contributing? Found a discrepancy? Please create a GitHub issue or PR with your details. 294 | 295 | ## Contributors & Maintainers 296 | - [Nick Aleks](https://github.com/nicholasaleks) 297 | - [Dolev Farhi](https://github.com/dolevf) 298 | -------------------------------------------------------------------------------- /implementations/agoo.md: -------------------------------------------------------------------------------- 1 | # Agoo 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: 12 | - [Ruby](https://www.ruby-lang.org/en/) 13 | - [C](http://www.open-std.org/jtc1/sc22/wg14/) 14 | 15 | Source: [https://github.com/ohler55/agoo](https://github.com/ohler55/agoo)\ 16 | Documentation: [https://rubydoc.info/gems/agoo](https://rubydoc.info/gems/agoo) 17 | 18 | ## Security Considerations 19 | name provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

No Support

No Support

No Support

No Support

Enabled by Default
⚠️
Disabled by Default

No Support
41 | 42 | ## Request Validations 43 | Total Validation Count: **1** 44 | 45 | name validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Fragment Cycles
126 | 127 | ## Notable Vulnerabilities 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 |
CVE IDDateScoreDescription
CVE-2022-302882022-05-037.5Agoo versions 2.11.1 and below do not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.
143 | 144 | ## Security Disclosure 145 | https://github.com/ohler55/agoo/blob/develop/SECURITY.md 146 | -------------------------------------------------------------------------------- /implementations/apollo.md: -------------------------------------------------------------------------------- 1 | # Apollo 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [javascript](https://www.javascript.com/)\ 12 | Source: [https://github.com/apollographql/apollo-server](https://github.com/apollographql/apollo-server)\ 13 | Documentation: [https://www.apollographql.com/docs/apollo-server/](https://www.apollographql.com/docs/apollo-server/) 14 | 15 | ## Security Considerations 16 | Apollo provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default (Supported via External Libraries)
⚠️
Disabled by Default (Supported via External Libraries)
⚠️
Disabled by Default

Enabled if NODE_ENV is not set to 'production'

exception.stacktrace exists if NODE_ENV is not set to 'production' or 'test'

Enabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **34** 41 | 42 | Apollo is based on [graphql-js](https://github.com/graphql/graphql-js) which validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused Variables
Unique Operation TypesScalar LeafsUnique Argument Definition NamesNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable Names
Single Field SubscriptionsUnique Argument NamesNo Unused FragmentsUnique Type NamesVariables Are Input Types
Unique Field Definition NamesPossible Fragment SpreadsValues Of Correct TypeVariables In Allowed Position
Unique Fragment NamesUnique Input Field Names
123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 |
CVE IDDateScoreDescription
CVE-2021-412492021-11-047.1Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)
-2020-05-04ModerateSchema validation rules are not passed to the subscription server, including rules that restrict introspection
146 | 147 | ## Security Disclosure 148 | security@apollographql.com 149 | -------------------------------------------------------------------------------- /implementations/ariadne.md: -------------------------------------------------------------------------------- 1 | # ariadne 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/mirumee/ariadne](https://github.com/mirumee/ariadne) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://ariadnegraphql.org/](https://ariadnegraphql.org/) 17 | 18 | ## Security Considerations 19 | ariadne provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default
⚠️
Disabled by Default

No Support
41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | ariadne is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused Variables
Scalar LeafsUnique Argument Definition NamesNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable Names
Single Field SubscriptionsUnique Argument NamesNo Unused FragmentsUnique Operation TypesVariables Are Input Types
Unique Field Definition NamesPossible Fragment SpreadsUnique Type NamesVariables In Allowed Position
Unique Input Field NamesUnique Fragment NamesValues Of Correct Type
126 | 127 | ## Security Disclosure 128 | https://github.com/mirumee/ariadne/discussions/ 129 | -------------------------------------------------------------------------------- /implementations/dgraph.md: -------------------------------------------------------------------------------- 1 | # Dgraph 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: 13 | - [https://github.com/dgraph-io/dgraph](https://github.com/dgraph-io/dgraph) 14 | - [https://github.com/dgraph-io/gqlparser](https://github.com/dgraph-io/gqlparser) 15 | 16 | Documentation: [https://dgraph.io/docs/](https://dgraph.io/docs/) 17 | 18 | ## Security Considerations 19 | Dgraph provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support
⚠️
Disabled by Default

Enabled by Default

No Support

No Support
41 | 42 | ## Request Validations 43 | Total Validation Count: **25** 44 | 45 | Dgraph is based on [gqlparser](https://github.com/dgraph-io/gqlparser) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Anonymous OperationSingle Field SubscriptionsFields on Correct TypeKnown Argument NamesFragments on Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Unique Operation NamesOverlapping Fields can be MergedProvided Required ArgumentsKnown Fragment NamesUnique Input Field NamesUnique Directives per LocationNo Unused Variables
Scalar LeafsUnique Argument NamesNo Fragment CyclesValues of Correct TypeUnique Variable Names
No Unused FragmentsVariables are Input Types
Possible Fragment SpreadsVariables in Allowed Position
Unique Fragment Names
126 | 127 | ## Security Disclosure 128 | contact@dgraph.io 129 | -------------------------------------------------------------------------------- /implementations/diana.md: -------------------------------------------------------------------------------- 1 | # Diana.jl 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [julia](https://julialang.org/)\ 12 | Source: [https://github.com/neomatrixcode/Diana.jl](https://github.com/neomatrixcode/Diana.jl)\ 13 | Documentation: [https://diana.nicepage.io/](https://diana.nicepage.io/) 14 | 15 | ## Security Considerations 16 | diana.jl provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **10** 41 | 42 | diana.jl validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Not Extension On OperationFragment Subscription
Not Type on OperationFragment Names
Not Schema on OperationFragment Unknown Not Used
Operation NamesFragment Cycles
Operation Anonymous
Subscription Fields
123 | 124 | ## Security Disclosure 125 | https://github.com/neomatrixcode/Diana.jl/issues -------------------------------------------------------------------------------- /implementations/directus.md: -------------------------------------------------------------------------------- 1 | # directus 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [javascript](https://www.javascript.com/)\ 12 | Source: [https://github.com/directus/directus](https://github.com/directus/directus)\ 13 | Documentation: [https://directus.io/](https://directus.io/) 14 | 15 | ## Security Considerations 16 | directus provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support

No Support

Enabled by Default
⚠️
Disabled by Default

No Support
38 | 39 | ## Request Validations 40 | Total Validation Count: **7** 41 | 42 | directus validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Validate Query
Validate Filter
Validate Filter Primitive
Validate List
Validate Boolean
Validate Geometry
Validate Alias
134 | 135 | ## Security Disclosure 136 | security@directus.io 137 | -------------------------------------------------------------------------------- /implementations/gql-dart.md: -------------------------------------------------------------------------------- 1 | # gql-dart/gql 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [dart](https://dart.dev/)\ 12 | Source: [https://github.com/gql-dart/gql](https://github.com/gql-dart/gql)\ 13 | 14 | ## Security Considerations 15 | gql-dart/gql provides the following features which should be taken into consideration: 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support

No Support

Enabled by Default

No Support

No Support
37 | 38 | ## Request Validations 39 | Total Validation Count: **9** 40 | 41 | gql-dart/gql validates the following checks when a query is sent: 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Schema DefinitionUnique Field Definition NamesUnique Argument NamesMissing Fragment DefinitionsUnique Operation TypesUnique Directive Names
Unique Input Field NamesUnique Type Names
Unique Enum Value Names
89 | 90 | ## Security Disclosure 91 | https://github.com/gql-dart/gql/issues 92 | -------------------------------------------------------------------------------- /implementations/gqlgen.md: -------------------------------------------------------------------------------- 1 | # gqlgen 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: 13 | - [https://github.com/99designs/gqlgen](https://github.com/99designs/gqlgen) 14 | - [https://github.com/vektah/gqlparser](https://github.com/vektah/gqlparser) 15 | 16 | Documentation: [https://gqlgen.com/](https://gqlgen.com/) 17 | 18 | 19 | ## Security Considerations 20 | gqlgen provides the following features which should be taken into consideration: 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support
⚠️
Disabled by Default
⚠️
Disabled by Default

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default
42 | 43 | ## Request Validations 44 | Total Validation Count: **25** 45 | 46 | gqlgen is based on [gqlparser](https://github.com/dgraph-io/gqlparser) which validates the following checks when a query is sent: 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Anonymous OperationSingle Field SubscriptionsFields on Correct TypeKnown Argument NamesFragments on Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Unique Operation NamesOverlapping Fields can be MergedProvided Required ArgumentsKnown Fragment NamesUnique Input Field NamesUnique Directives per LocationNo Unused Variables
Scalar LeafsUnique Argument NamesNo Fragment CyclesValues of Correct TypeUnique Variable Names
No Unused FragmentsVariables are Input Types
Possible Fragment SpreadsVariables in Allowed Position
Unique Fragment Names
127 | 128 | ## Security Disclosure 129 | https://github.com/99designs/gqlgen/issues -------------------------------------------------------------------------------- /implementations/graphene.md: -------------------------------------------------------------------------------- 1 | # graphene 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/graphql-python/graphene](https://github.com/graphql-python/graphene) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://graphene-python.org/](https://graphene-python.org/) 17 | 18 | ## Security Considerations 19 | graphene provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | graphene is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused Variables
Scalar LeafsUnique Argument Definition NamesNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable Names
Single Field SubscriptionsUnique Argument NamesNo Unused FragmentsUnique Operation TypesVariables Are Input Types
Unique Field Definition NamesPossible Fragment SpreadsUnique Type NamesVariables In Allowed Position
Unique Input Field NamesUnique Fragment NamesValues Of Correct Type
126 | 127 | ## Security Disclosure 128 | https://github.com/graphql-python/graphene/issues -------------------------------------------------------------------------------- /implementations/graphql-api-for-wp.md: -------------------------------------------------------------------------------- 1 | # GraphQL API for WordPress 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/leoloso/PoP](https://github.com/leoloso/PoP)\ 13 | Documentation: [https://graphql-api.com/](https://graphql-api.com/) 14 | 15 | ## Security Considerations 16 | GraphQL API for WordPress provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests
⚠️
Disabled by Default

No Support

No Support

Enabled by Default

Enabled by Default
⚠️
Disabled by Default

Enabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **37** 41 | 42 | GraphQL API for WordPress validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
(Executable Definitions)Lone Anonymous OperationFields on Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined VariablesDisable Single Endpoint, Obfuscate Endpoint Path
(Lone Schema Definition)Unique Operation NamesUnique Input Field NamesKnown Argument Names On DirectivesKnown Fragment Names(Possible Type Extensions)Repeatable DirectivesNo Unused VariablesDisable Introspection
Known Operation NamesProvided Required ArgumentsNo Fragment CyclesUnique Enum Value NamesUnique Variable NamesDynamic Variable Has Value Exported
Operation Name Provided When Multiple Operations in DocumentUnique Argument NamesNo Unused FragmentsValues Of Correct TypeVariables In Allowed PositionEnum Value Must Be String
Operation Provided In DocumentLeaf Field SelectionsProvided Required Arguments On DirectivesPossible Fragment SpreadsProvided Required Inputs On Input ObjectsNo Field Or Directive Was Found With Required Version Constraint
@oneOf Input Object Must Receive Exactly 1 Input Value (Spec RFC Stage 2)Unique Fragment NamesEnum Value is Not ValidA Directive's Behavior Can Be Modified By At Most 1 Other Directive
123 | 124 | ## Security Disclosure 125 | https://graphql-api.com/contact/ -------------------------------------------------------------------------------- /implementations/graphql-dotnet.md: -------------------------------------------------------------------------------- 1 | # graphql-dotnet 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [C#](https://dotnet.microsoft.com/en-us/languages/csharp)\ 12 | Source: [https://github.com/graphql-dotnet/graphql-dotnet](https://github.com/graphql-dotnet/graphql-dotnet)\ 13 | Documentation: [https://graphql-dotnet.github.io/docs/getting-started/introduction/](https://graphql-dotnet.github.io/docs/getting-started/introduction/) 14 | 15 | ## Security Considerations 16 | graphql-dotnet provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **29** 41 | 42 | GraphQL.NET validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Anonymous OperationFields On Correct TypeArguments Of Correct TypeFragments On Composite TypesDefault Values Of Correct TypeKnown Directives In Allowed LocationsUnique Variable NamesInput Fields And Arguments Of Correct Length
Unique Operation NamesOverlapping Fields Can Be MergedKnown Argument NamesKnown Fragment NamesKnown Type NamesUnique Directives Per LocationVariables Are Input TypesNo Introspection Validation Rule
Scalar LeafsProvided Non Null ArgumentsNo Fragment CyclesNo Undefined VariablesComplexity Validation Rule
Single Root Field SubscriptionsUnique Argument NamesNo Unused FragmentsNo Unused Variable
Unique Input Field NamesPossible Fragment SpreadsVariables In Allowed Position
Unique Fragment Names
123 | 124 | ## Security Disclosure 125 | https://github.com/graphql-dotnet/graphql-dotnet/issues -------------------------------------------------------------------------------- /implementations/graphql-go.md: -------------------------------------------------------------------------------- 1 | # graphql-go 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request-Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: [https://github.com/graphql-go/graphql](https://github.com/graphql-go/graphql)\ 13 | Documentation: [https://pkg.go.dev/github.com/graphql-go/graphql](https://pkg.go.dev/github.com/graphql-go/graphql) 14 | 15 | ## Security Considerations 16 | graphql-go provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support

No Support

No Support

Enabled by Default
⚠️
Disabled by Default

No Support
38 | 39 | ## Request Validations 40 | Total Validation Count: **24** 41 | 42 | GraphQL Ruby validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Anonymous OperationFields on Correct TypeArguments of Correct TypeFragments on Composite TypesDefault Value of Correct TypeKnown DirectivesNo Undefined Variables
Unique Operation NamesOverlapping Fields Can Be MergedKnown Argument NamesKnown Fragment NamesKnown Type NamesNo Unused Variables
Scalar LeafsProvided Non Null ArgumentsNo Unused FragmentsUnique Variable Names
Unique Input Field NamesUnique Argument NamePossible Fragment SpreadsVariables Are Input Types
Unique Fragment NamesVariables In Allowed position
No Fragment Cycles
123 | 124 | ## Security Disclosure 125 | Report the issue to @pavelnikolov and/or @tony in the Gophers Slack in a private message. -------------------------------------------------------------------------------- /implementations/graphql-java.md: -------------------------------------------------------------------------------- 1 | # graphql-java 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [java](https://www.oracle.com/java/)\ 12 | Source: [https://github.com/graphql-java/graphql-java](https://github.com/graphql-java/graphql-java)\ 13 | Documentation: [https://www.graphql-java.com/](https://www.graphql-java.com/) 14 | 15 | ## Security Considerations 16 | graphql-java provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **26** 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeArguments Of Correct TypeFragments On Composite TypeKnown Type NamesKnown DirectivesNo Undefined Variables
Unique Operation NamesOverlapping Fields Can Be MergedKnown Argument NamesProvided Non Null ArgumentsKnown Fragment NamesNo Unused Variables
Scalar LeafsUnique Argument Names RuleNo Fragment CyclesNo Unused Fragments
Unique Directive Names Per LocationPossible Fragment SpreadsUnique Variable Names Rule
Unique Fragment NamesVariable Default Values Of Correct Type
Variable Types Match Rule
Variables Are Input Types
Variables Types Matcher
143 | 144 | ## Security Disclosure 145 | https://github.com/graphql-java/graphql-java/issues -------------------------------------------------------------------------------- /implementations/graphql-php.md: -------------------------------------------------------------------------------- 1 | # graphql-php 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/webonyx/graphql-php](https://github.com/webonyx/graphql-php)\ 13 | Documentation: [https://webonyx.github.io/graphql-php/](https://webonyx.github.io/graphql-php/) 14 | 15 | ## Security Considerations 16 | graphql-php provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **37** 41 | 42 | GraphQL PHP validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields on Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined VariablesQuery Complexity
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedKnown Argument Names On DirectivesKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused VariablesQuery Depth
Scalar LeafsProvided Required ArgumentsNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable NamesDisable Introspection
Single Field SubscriptionUnique Argument NamesNo Unused FragmentsUnique Operation TypesVariables Are Input Types
Unique Input Field NamesProvided Required Arguments On DirectivesPossible Fragment SpreadsUnique Type NamesVariables In Allowed Position
Unique Fragment NamesValues Of Correct Type
123 | 124 | ## Security Disclosure 125 | https://github.com/webonyx/graphql-php/issues -------------------------------------------------------------------------------- /implementations/graphql-ruby.md: -------------------------------------------------------------------------------- 1 | # graphql-ruby 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Ruby](https://www.ruby-lang.org/en/)\ 12 | Source: [https://github.com/rmosolgo/graphql-ruby](https://github.com/rmosolgo/graphql-ruby)\ 13 | Documentation: [https://graphql-ruby.org/](https://graphql-ruby.org/) 14 | 15 | ## Security Considerations 16 | graphql-ruby provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default

No Support
⚠️
Disabled by Default
⚠️
Disabled by Default

Enabled by Default

No Support

Enabled by Default
38 | 39 | 40 | ## Request Validations 41 | 42 | Total Validation Count: **28** 43 | 44 | GraphQL Ruby validates the following checks when a query is sent: 45 | 46 | | [Document Validations](https://spec.graphql.org/October2021/#sec-Documents) | [Operation Validations](https://spec.graphql.org/October2021/#sec-Validation.Operations) | [Field Validations](https://spec.graphql.org/October2021/#sec-Validation.Fields) | [Argument Validations](https://spec.graphql.org/October2021/#sec-Validation.Arguments) | [Fragment Validations](https://spec.graphql.org/October2021/#sec-Validation.Fragments) | [Value Validations](https://spec.graphql.org/October2021/#sec-Values) | [Directive Validations](https://spec.graphql.org/October2021/#sec-Validation.Directives) | [Variable Validations](https://spec.graphql.org/October2021/#sec-Validation.Variables) | Misc. Validations | 47 | |----------------------|-----------------------|-------------------|----------------------|---------------------------|--------------------------|------------------------|----------------------|-------------------| 48 | | | [Mutation root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/mutation_root_exists.rb) | [Fields are defined on type](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_are_defined_on_type.rb) | [Argument literals are compatible](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/argument_literals_are_compatible.rb) | [Fragment names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_names_are_unique.rb) | [Input object names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/input_object_names_are_unique.rb) | [Directives are defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/directives_are_defined.rb) | [Variables default values are correctly typed](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_default_values_are_correctly_typed.rb) | [No definitions are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/no_definitions_are_present.rb) | 49 | | | [Operation names are valid](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/operation_names_are_valid.rb) | [Fields have appropriate selections](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_have_appropriate_selections.rb) | [Argument names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/argument_names_are_unique.rb) | [Fragment spreads are possible](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_spreads_are_possible.rb) | [Required input object attributes are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/required_input_object_attributes_are_present.rb) | [Directives are in valid locations](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/directives_are_in_valid_locations.rb) | [Variable names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_names_are_unique.rb) | | 50 | | | [Query root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/query_root_exists.rb) | [Field will merge](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_will_merge.rb) | [Arguments are defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/arguments_are_defined.rb) | [Fragment types exist](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_types_exist.rb) | | [Unique directives per location](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/unique_directives_per_location.rb) | [Variable usages are allowed](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_usages_are_allowed.rb) | | 51 | | | [Subscription root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/subscription_root_exists.rb) | | [Requried arguments are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/required_arguments_are_present.rb) | [Fragements are finite](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_finite.rb) | | | [Variables are input types](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variables_are_input_types.rb) | | 52 | | | | | | [Fragments are named](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_named.rb) | | | [Variables are used and defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variables_are_used_and_defined.rb) | | 53 | | | | | | [Fragments are on composite types](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_on_composite_types.rb) | | | | | 54 | 55 | ## Security Disclosure 56 | https://github.com/rmosolgo/graphql-ruby/issues -------------------------------------------------------------------------------- /implementations/graphql-yoga.md: -------------------------------------------------------------------------------- 1 | # graphql-yoga 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [typescript](https://www.typescriptlang.org/)\ 12 | Source: [https://github.com/dotansimha/graphql-yoga](https://github.com/dotansimha/graphql-yoga)\ 13 | Documentation: [https://www.graphql-yoga.com/](https://www.graphql-yoga.com/) 14 | 15 | ## Security Considerations 16 | graphql-yoga provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default

No Support

No Support
⚠️
Disabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **34** 41 | 42 | graphql-yoga is based on [apollo](https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/apollo.md) and [graphql-js](https://github.com/graphql/graphql-js) which validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused Variables
Unique Operation TypesScalar LeafsUnique Argument Definition NamesNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable Names
Single Field SubscriptionsUnique Argument NamesNo Unused FragmentsUnique Type NamesVariables Are Input Types
Unique Field Definition NamesPossible Fragment SpreadsValues Of Correct TypeVariables In Allowed Position
Unique Fragment NamesUnique Input Field Names
123 | 124 | ## Security Disclosure 125 | https://github.com/dotansimha/graphql-yoga -------------------------------------------------------------------------------- /implementations/hasura.md: -------------------------------------------------------------------------------- 1 | # Hasura 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Haskell](https://www.haskell.org/)\ 12 | Source: [https://github.com/hasura/graphql-engine](https://github.com/hasura/graphql-engine)\ 13 | Documentation: [https://hasura.io/](https://hasura.io/) 14 | 15 | ## Security Considerations 16 | Hasura provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **XXX** 41 | 42 | Hasura validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
123 | 124 | ## Security Disclosure 125 | build@hasura.io 126 | -------------------------------------------------------------------------------- /implementations/juniper.md: -------------------------------------------------------------------------------- 1 | # juniper 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [rust](https://www.rust-lang.org/)\ 12 | Source: [https://github.com/graphql-rust/juniper](https://github.com/graphql-rust/juniper)\ 13 | Documentation: [https://graphql-rust.github.io/](https://graphql-rust.github.io/) 14 | 15 | ## Security Considerations 16 | juniper provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

No Support

No Support

No Support

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **24** 41 | 42 | juniper validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Lone Anonymous OperationFields on Correct TypeArguments of Correct TypeFragments on Composite TypesDefault Values of Correct TypeKnown DirectivesNo Undefined Variables
Unique Operation NamesOverlapping Fields can be Merged/a>Known Argument NamesKnown Fragment NamesKnown Type NamesNo Unused Variables
Scalar LeafsProvided non null argumentsNo Fragment CyclesUnique Variable Names
Unique Input Field NamesUnique Argument NamesNo Unused FragmentsVariables are Input Types
Possible Fragment SpreadsVariables in Allowed Position
Unique Fragment Names
123 | 124 | ## Security Disclosure 125 | https://github.com/graphql-rust/juniper/issues -------------------------------------------------------------------------------- /implementations/lighthouse.md: -------------------------------------------------------------------------------- 1 | # Lighthouse 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | 7 | 8 | ## About 9 | Language: 10 | - [PHP](https://www.php.net/) 11 | 12 | Source: [https://github.com/nuwave/lighthouse](https://github.com/nuwave/lighthouse) 13 | 14 | ## Security Considerations 15 | name provides the following features which should be taken into consideration: 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

No Support
⚠️
No Support
⚠️
No Support
⚠️
No Support

Enabled by Default
⚠️
Disabled by Default

No Support
37 | 38 | -------------------------------------------------------------------------------- /implementations/sangria.md: -------------------------------------------------------------------------------- 1 | # Sangria 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Scala](https://www.scala-lang.org/)\ 12 | Source: [https://github.com/sangria-graphql/sangria](https://github.com/sangria-graphql/sangria)\ 13 | Documentation: [https://sangria-graphql.github.io/learn/](https://sangria-graphql.github.io/learn/) 14 | 15 | ## Security Considerations 16 | Sangria provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | 40 | ## Request Validations 41 | Total Validation Count: **27** 42 | 43 | GraphQL Sangria validates the following checks when a query is sent: 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesInput Document Non Conflicting Variable Inference
Unique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesValues Of Correct TypeUnique Directives Per LocationNo Undefined Variables
Scalar LeafsUnique Argument NamesNo Fragment CyclesNo Unused Variables
Single Field SubscriptionsNo Unused FragmentsUnique Variable Names
Unique Input Field NamesPossible Fragment SpreadsVariables Are Input Types
Unique Fragment NamesVariables In Allowed Position
124 | 125 | ## Security Disclosure 126 | https://github.com/sangria-graphql/sangria/issues -------------------------------------------------------------------------------- /implementations/strawberry.md: -------------------------------------------------------------------------------- 1 | # Strawberry 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/strawberry-graphql/strawberry](https://github.com/strawberry-graphql/strawberry) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://strawberry.rocks/](https://strawberry.rocks/) 17 | 18 | ## Security Considerations 19 | Strawberry provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default

No Support

No Support

Enabled by Default

No Support

No Support
41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | Strawberry is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields On Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined Variables
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedProvided Required ArgumentsKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused Variables
Scalar LeafsUnique Argument Definition NamesNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable Names
Single Field SubscriptionsUnique Argument NamesNo Unused FragmentsUnique Operation TypesVariables Are Input Types
Unique Field Definition NamesPossible Fragment SpreadsUnique Type NamesVariables In Allowed Position
Unique Input Field NamesUnique Fragment NamesValues Of Correct Type
126 | 127 | ## Security Disclosure 128 | https://github.com/strawberry-graphql/strawberry/issues -------------------------------------------------------------------------------- /implementations/tartiflette.md: -------------------------------------------------------------------------------- 1 | # tartiflette 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: [https://github.com/tartiflette/tartiflette](https://github.com/tartiflette/tartiflette)\ 13 | Documentation: [https://tartiflette.io/](https://tartiflette.io/) 14 | 15 | ## Security Considerations 16 | Tartiflette provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

No Support

No Support

No Support

No Support

Enabled by Default

No Support

No Support
38 | 39 | *Despite Tartiflette not having basic security support, it does provide rate limits on a per field basis.* 40 | 41 | ## Request Validations 42 | Total Validation Count: **26** 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Single Root FieldLone Anonymous OperationField Selections on Objects Interfaces and Unions TypesArgument NamesFragment Must be UsedValues of Correct TypeDirectives are DefinedAll Variable Usages are Allowed
Executable DefinitionsOperation Name UniquenessInput Object Field UniquenessArgument UniquenessFragment Name UniquenessDirectives are in Valid LocationsAll Variable uses Defined
Leaf Field SelectionsRequired ArgumentsFragment Spread is PossibleDirectives are Unique per LocationAll Variables Used
Fragment Spread Target DefinedVariable Uniqueness
Fragment Spread Type ExistenceVariables are Input Types
Fragment Spreads Must Not Form Cycles
Fragments on Composite Types
134 | 135 | ## Security Disclosure 136 | https://github.com/tartiflette/tartiflette/issues 137 | -------------------------------------------------------------------------------- /implementations/template.md: -------------------------------------------------------------------------------- 1 | # name 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: []()\ 12 | Source: []()\ 13 | Documentation: []() 14 | 15 | ## Security Considerations 16 | name provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **XXX** 41 | 42 | name validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 |
CVE IDDateScoreDescription
146 | 147 | ## Security Disclosure 148 | url -------------------------------------------------------------------------------- /implementations/wp-graphql.md: -------------------------------------------------------------------------------- 1 | # wp-graphql 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/wp-graphql/wp-graphql](https://github.com/wp-graphql/wp-graphql)\ 13 | Documentation: [https://www.wpgraphql.com/](https://www.wpgraphql.com/) 14 | 15 | ## Security Considerations 16 | wp-graphql provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |
Field SuggestionsQuery Depth LimitQuery Cost AnalysisAutomatic Persisted QueriesIntrospectionDebug ModeBatch Requests

Enabled by Default
⚠️
Disabled by Default
⚠️
Disabled by Default

No Support

Enabled by Default

No Support
⚠️
Disabled by Default
38 | 39 | ## Request Validations 40 | Total Validation Count: **38** 41 | 42 | wp-graphql is based on [graphql-php](https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/graphql-php.md) which validates the checks below as well as extra validations: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |
Document ValidationsOperation ValidationsField ValidationsArgument ValidationsFragment ValidationsValue ValidationsDirective ValidationsVariable ValidationsMisc. Validations
Executable DefinitionsLone Anonymous OperationFields on Correct TypeKnown Argument NamesFragments On Composite TypesKnown Type NamesKnown DirectivesNo Undefined VariablesQuery Complexity
Lone Schema DefinitionUnique Operation NamesOverlapping Fields Can Be MergedKnown Argument Names On DirectivesKnown Fragment NamesPossible Type ExtensionsUnique Directive NamesNo Unused VariablesQuery Depth
Scalar LeafsProvided Required ArgumentsNo Fragment CyclesUnique Enum Value NamesUnique Directives Per LocationUnique Variable NamesDisable Introspection
Single Field SubscriptionUnique Argument NamesNo Unused FragmentsUnique Operation TypesVariables Are Input TypesRequire Authentication
Unique Input Field NamesProvided Required Arguments On DirectivesPossible Fragment SpreadsUnique Type NamesVariables In Allowed Position
Unique Fragment NamesValues Of Correct Type
123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 |
CVE IDDateScoreDescription
CVE-2019-98812019-06-105.0The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
CVE-2019-98802019-06-106.4An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
CVE-2019-98792019-06-107.5The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
152 | 153 | ## Security Disclosure 154 | https://github.com/wp-graphql/wp-graphql/issues -------------------------------------------------------------------------------- /static/graphql-threat-matrix-v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicholasaleks/graphql-threat-matrix/64f6b926cf6a177d4aed01593573abd7fbde8d17/static/graphql-threat-matrix-v1.png -------------------------------------------------------------------------------- /static/graphql-threat-matrix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicholasaleks/graphql-threat-matrix/64f6b926cf6a177d4aed01593573abd7fbde8d17/static/graphql-threat-matrix.png --------------------------------------------------------------------------------