├── .gitignore ├── README.md ├── implementations ├── agoo.md ├── apollo.md ├── ariadne.md ├── dgraph.md ├── diana.md ├── directus.md ├── gql-dart.md ├── gqlgen.md ├── graphene.md ├── graphql-api-for-wp.md ├── graphql-dotnet.md ├── graphql-go.md ├── graphql-java.md ├── graphql-php.md ├── graphql-ruby.md ├── graphql-yoga.md ├── hasura.md ├── juniper.md ├── lighthouse.md ├── sangria.md ├── strawberry.md ├── tartiflette.md ├── template.md └── wp-graphql.md └── static ├── graphql-threat-matrix-v1.png └── graphql-threat-matrix.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |
4 |

5 | 6 |

7 | GraphQL Threat Matrix 8 |

9 | 10 | ## Why graphql-threat-matrix? 11 | [graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations. 12 | 13 | The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations. 14 | 15 |

21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 |

Implementation	Validations	Field Suggestions	Query Depth limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
wp-graphql	38	✅	⚠️	❌	❌	⚠️	⚠️	✅
graphql-php	37	✅	⚠️	⚠️	❌	✅	⚠️	⚠️
graphql-api-for-wp	37	⚠️	❌	❌	✅	✅	⚠️	✅
Apollo	34	✅	⚠️	⚠️	✅	✅	✅	✅
graphql-yoga	34	✅	⚠️	❌	❌	⚠️	⚠️	⚠️
graphene	34	✅	❌	❌	❌	✅	❌	⚠️
Ariadne	34	✅	⚠️	⚠️	❌	✅	⚠️	❌
Strawberry	34	✅	⚠️	❌	❌	✅	❌	❌
graphql-dotnet	29	✅	⚠️	⚠️	❌	✅	❌	⚠️
graphql-ruby	28	✅	❌	⚠️	⚠️	✅	❌	✅
Sangria	27	✅	⚠️	⚠️	❌	✅	❌	⚠️
Tartiflette	26	❌	❌	❌	❌	✅	❌	❌
graphql-java	26	✅	⚠️	⚠️	❌	✅	❌	⚠️
gqlgen	25	✅	❌	⚠️	⚠️	✅	⚠️	⚠️
Dgraph	25	✅	❌	❌	⚠️	✅	❌	❌
graphql-go	24	✅	❌	❌	❌	✅	⚠️	❌
juniper	24	❌	❌	❌	❌	✅	❌	⚠️
Diana.jl	10	✅	❌	❌	❌	✅	❌	❌
gql-dart/gql	9	✅	❌	❌	❌	✅	❌	❌
Agoo	1	❌	❌	❌	❌	✅	⚠️	❌
Lighthouse	1	✅	⚠️	⚠️	⚠️	✅	⚠️	✅

288 | 289 | ## For Penetration Testers 290 | Use [graphw00f](https://github.com/dolevf/graphw00f) to fingerprint a target GraphQL API and determine the backend implementation. 291 | 292 | ## Want to provide a submission (or correction)? 293 | Interested in contributing? Found a discrepancy? Please create a GitHub issue or PR with your details. 294 | 295 | ## Contributors & Maintainers 296 | - [Nick Aleks](https://github.com/nicholasaleks) 297 | - [Dolev Farhi](https://github.com/dolevf) 298 | -------------------------------------------------------------------------------- /implementations/agoo.md: -------------------------------------------------------------------------------- 1 | # Agoo 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: 12 | - [Ruby](https://www.ruby-lang.org/en/) 13 | - [C](http://www.open-std.org/jtc1/sc22/wg14/) 14 | 15 | Source: [https://github.com/ohler55/agoo](https://github.com/ohler55/agoo)\ 16 | Documentation: [https://rubydoc.info/gems/agoo](https://rubydoc.info/gems/agoo) 17 | 18 | ## Security Considerations 19 | name provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
❌ No Support	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support

41 | 42 | ## Request Validations 43 | Total Validation Count: **1** 44 | 45 | name validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
				Fragment Cycles

126 | 127 | ## Notable Vulnerabilities 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 |

CVE ID	Date	Score	Description
CVE-2022-30288	2022-05-03	7.5	Agoo versions 2.11.1 and below do not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.

143 | 144 | ## Security Disclosure 145 | https://github.com/ohler55/agoo/blob/develop/SECURITY.md 146 | -------------------------------------------------------------------------------- /implementations/apollo.md: -------------------------------------------------------------------------------- 1 | # Apollo 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [javascript](https://www.javascript.com/)\ 12 | Source: [https://github.com/apollographql/apollo-server](https://github.com/apollographql/apollo-server)\ 13 | Documentation: [https://www.apollographql.com/docs/apollo-server/](https://www.apollographql.com/docs/apollo-server/) 14 | 15 | ## Security Considerations 16 | Apollo provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default (Supported via External Libraries)	⚠️ Disabled by Default (Supported via External Libraries)	⚠️ Disabled by Default	✅ Enabled if NODE_ENV is not set to 'production'	✅ exception.stacktrace exists if NODE_ENV is not set to 'production' or 'test'	✅ Enabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **34** 41 | 42 | Apollo is based on [graphql-js](https://github.com/graphql/graphql-js) which validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables
	Unique Operation Types	Scalar Leafs	Unique Argument Definition Names	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names
		Single Field Subscriptions	Unique Argument Names	No Unused Fragments	Unique Type Names		Variables Are Input Types
		Unique Field Definition Names		Possible Fragment Spreads	Values Of Correct Type		Variables In Allowed Position
				Unique Fragment Names	Unique Input Field Names

123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 |

CVE ID	Date	Score	Description
CVE-2021-41249	2021-11-04	7.1	Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)
-	2020-05-04	Moderate	Schema validation rules are not passed to the subscription server, including rules that restrict introspection

146 | 147 | ## Security Disclosure 148 | security@apollographql.com 149 | -------------------------------------------------------------------------------- /implementations/ariadne.md: -------------------------------------------------------------------------------- 1 | # ariadne 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/mirumee/ariadne](https://github.com/mirumee/ariadne) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://ariadnegraphql.org/](https://ariadnegraphql.org/) 17 | 18 | ## Security Considerations 19 | ariadne provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support

41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | ariadne is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables
		Scalar Leafs	Unique Argument Definition Names	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names
		Single Field Subscriptions	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types
		Unique Field Definition Names	Possible Fragment Spreads		Unique Type Names		Variables In Allowed Position
		Unique Input Field Names	Unique Fragment Names		Values Of Correct Type

126 | 127 | ## Security Disclosure 128 | https://github.com/mirumee/ariadne/discussions/ 129 | -------------------------------------------------------------------------------- /implementations/dgraph.md: -------------------------------------------------------------------------------- 1 | # Dgraph 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: 13 | - [https://github.com/dgraph-io/dgraph](https://github.com/dgraph-io/dgraph) 14 | - [https://github.com/dgraph-io/gqlparser](https://github.com/dgraph-io/gqlparser) 15 | 16 | Documentation: [https://dgraph.io/docs/](https://dgraph.io/docs/) 17 | 18 | ## Security Considerations 19 | Dgraph provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	⚠️ Disabled by Default	✅ Enabled by Default	❌ No Support	❌ No Support

41 | 42 | ## Request Validations 43 | Total Validation Count: **25** 44 | 45 | Dgraph is based on [gqlparser](https://github.com/dgraph-io/gqlparser) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Lone Anonymous Operation	Single Field Subscriptions	Fields on Correct Type	Known Argument Names	Fragments on Composite Types	Known Type Names	Known Directives	No Undefined Variables
	Unique Operation Names	Overlapping Fields can be Merged	Provided Required Arguments	Known Fragment Names	Unique Input Field Names	Unique Directives per Location	No Unused Variables
		Scalar Leafs	Unique Argument Names	No Fragment Cycles	Values of Correct Type		Unique Variable Names
				No Unused Fragments			Variables are Input Types
				Possible Fragment Spreads			Variables in Allowed Position
				Unique Fragment Names

126 | 127 | ## Security Disclosure 128 | contact@dgraph.io 129 | -------------------------------------------------------------------------------- /implementations/diana.md: -------------------------------------------------------------------------------- 1 | # Diana.jl 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [julia](https://julialang.org/)\ 12 | Source: [https://github.com/neomatrixcode/Diana.jl](https://github.com/neomatrixcode/Diana.jl)\ 13 | Documentation: [https://diana.nicepage.io/](https://diana.nicepage.io/) 14 | 15 | ## Security Considerations 16 | diana.jl provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **10** 41 | 42 | diana.jl validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
	Not Extension On Operation			Fragment Subscription
	Not Type on Operation			Fragment Names
	Not Schema on Operation			Fragment Unknown Not Used
	Operation Names			Fragment Cycles
	Operation Anonymous
	Subscription Fields

123 | 124 | ## Security Disclosure 125 | https://github.com/neomatrixcode/Diana.jl/issues -------------------------------------------------------------------------------- /implementations/directus.md: -------------------------------------------------------------------------------- 1 | # directus 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [javascript](https://www.javascript.com/)\ 12 | Source: [https://github.com/directus/directus](https://github.com/directus/directus)\ 13 | Documentation: [https://directus.io/](https://directus.io/) 14 | 15 | ## Security Considerations 16 | directus provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support

38 | 39 | ## Request Validations 40 | Total Validation Count: **7** 41 | 42 | directus validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
								Validate Query
								Validate Filter
								Validate Filter Primitive
								Validate List
								Validate Boolean
								Validate Geometry
								Validate Alias

134 | 135 | ## Security Disclosure 136 | security@directus.io 137 | -------------------------------------------------------------------------------- /implementations/gql-dart.md: -------------------------------------------------------------------------------- 1 | # gql-dart/gql 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [dart](https://dart.dev/)\ 12 | Source: [https://github.com/gql-dart/gql](https://github.com/gql-dart/gql)\ 13 | 14 | ## Security Considerations 15 | gql-dart/gql provides the following features which should be taken into consideration: 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	❌ No Support

37 | 38 | ## Request Validations 39 | Total Validation Count: **9** 40 | 41 | gql-dart/gql validates the following checks when a query is sent: 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 |

Document Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations
Lone Schema Definition	Unique Field Definition Names	Unique Argument Names	Missing Fragment Definitions	Unique Operation Types	Unique Directive Names
	Unique Input Field Names			Unique Type Names
				Unique Enum Value Names

89 | 90 | ## Security Disclosure 91 | https://github.com/gql-dart/gql/issues 92 | -------------------------------------------------------------------------------- /implementations/gqlgen.md: -------------------------------------------------------------------------------- 1 | # gqlgen 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: 13 | - [https://github.com/99designs/gqlgen](https://github.com/99designs/gqlgen) 14 | - [https://github.com/vektah/gqlparser](https://github.com/vektah/gqlparser) 15 | 16 | Documentation: [https://gqlgen.com/](https://gqlgen.com/) 17 | 18 | 19 | ## Security Considerations 20 | gqlgen provides the following features which should be taken into consideration: 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default	⚠️ Disabled by Default	✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default

42 | 43 | ## Request Validations 44 | Total Validation Count: **25** 45 | 46 | gqlgen is based on [gqlparser](https://github.com/dgraph-io/gqlparser) which validates the following checks when a query is sent: 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Lone Anonymous Operation	Single Field Subscriptions	Fields on Correct Type	Known Argument Names	Fragments on Composite Types	Known Type Names	Known Directives	No Undefined Variables
	Unique Operation Names	Overlapping Fields can be Merged	Provided Required Arguments	Known Fragment Names	Unique Input Field Names	Unique Directives per Location	No Unused Variables
		Scalar Leafs	Unique Argument Names	No Fragment Cycles	Values of Correct Type		Unique Variable Names
				No Unused Fragments			Variables are Input Types
				Possible Fragment Spreads			Variables in Allowed Position
				Unique Fragment Names

127 | 128 | ## Security Disclosure 129 | https://github.com/99designs/gqlgen/issues -------------------------------------------------------------------------------- /implementations/graphene.md: -------------------------------------------------------------------------------- 1 | # graphene 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/graphql-python/graphene](https://github.com/graphql-python/graphene) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://graphene-python.org/](https://graphene-python.org/) 17 | 18 | ## Security Considerations 19 | graphene provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | graphene is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables
		Scalar Leafs	Unique Argument Definition Names	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names
		Single Field Subscriptions	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types
		Unique Field Definition Names	Possible Fragment Spreads		Unique Type Names		Variables In Allowed Position
		Unique Input Field Names	Unique Fragment Names		Values Of Correct Type

126 | 127 | ## Security Disclosure 128 | https://github.com/graphql-python/graphene/issues -------------------------------------------------------------------------------- /implementations/graphql-api-for-wp.md: -------------------------------------------------------------------------------- 1 | # GraphQL API for WordPress 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/leoloso/PoP](https://github.com/leoloso/PoP)\ 13 | Documentation: [https://graphql-api.com/](https://graphql-api.com/) 14 | 15 | ## Security Considerations 16 | GraphQL API for WordPress provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
⚠️ Disabled by Default	❌ No Support	❌ No Support	✅ Enabled by Default	✅ Enabled by Default	⚠️ Disabled by Default	✅ Enabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **37** 41 | 42 | GraphQL API for WordPress validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
(Executable Definitions)	Lone Anonymous Operation	Fields on Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables	Disable Single Endpoint, Obfuscate Endpoint Path
(Lone Schema Definition)	Unique Operation Names	Unique Input Field Names	Known Argument Names On Directives	Known Fragment Names	(Possible Type Extensions)	Repeatable Directives	No Unused Variables	Disable Introspection
	Known Operation Names		Provided Required Arguments	No Fragment Cycles	Unique Enum Value Names		Unique Variable Names	Dynamic Variable Has Value Exported
	Operation Name Provided When Multiple Operations in Document		Unique Argument Names	No Unused Fragments	Values Of Correct Type		Variables In Allowed Position	Enum Value Must Be String
	Operation Provided In Document	Leaf Field Selections	Provided Required Arguments On Directives	Possible Fragment Spreads	Provided Required Inputs On Input Objects			No Field Or Directive Was Found With Required Version Constraint
			@oneOf Input Object Must Receive Exactly 1 Input Value (Spec RFC Stage 2)	Unique Fragment Names	Enum Value is Not Valid			A Directive's Behavior Can Be Modified By At Most 1 Other Directive

123 | 124 | ## Security Disclosure 125 | https://graphql-api.com/contact/ -------------------------------------------------------------------------------- /implementations/graphql-dotnet.md: -------------------------------------------------------------------------------- 1 | # graphql-dotnet 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [C#](https://dotnet.microsoft.com/en-us/languages/csharp)\ 12 | Source: [https://github.com/graphql-dotnet/graphql-dotnet](https://github.com/graphql-dotnet/graphql-dotnet)\ 13 | Documentation: [https://graphql-dotnet.github.io/docs/getting-started/introduction/](https://graphql-dotnet.github.io/docs/getting-started/introduction/) 14 | 15 | ## Security Considerations 16 | graphql-dotnet provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **29** 41 | 42 | GraphQL.NET validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
Lone Anonymous Operation	Fields On Correct Type	Arguments Of Correct Type	Fragments On Composite Types	Default Values Of Correct Type	Known Directives In Allowed Locations	Unique Variable Names	Input Fields And Arguments Of Correct Length
Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names	Known Fragment Names	Known Type Names	Unique Directives Per Location	Variables Are Input Types	No Introspection Validation Rule
	Scalar Leafs	Provided Non Null Arguments	No Fragment Cycles			No Undefined Variables	Complexity Validation Rule
	Single Root Field Subscriptions	Unique Argument Names	No Unused Fragments			No Unused Variable
	Unique Input Field Names		Possible Fragment Spreads			Variables In Allowed Position
			Unique Fragment Names

123 | 124 | ## Security Disclosure 125 | https://github.com/graphql-dotnet/graphql-dotnet/issues -------------------------------------------------------------------------------- /implementations/graphql-go.md: -------------------------------------------------------------------------------- 1 | # graphql-go 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request-Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [go](https://go.dev/)\ 12 | Source: [https://github.com/graphql-go/graphql](https://github.com/graphql-go/graphql)\ 13 | Documentation: [https://pkg.go.dev/github.com/graphql-go/graphql](https://pkg.go.dev/github.com/graphql-go/graphql) 14 | 15 | ## Security Considerations 16 | graphql-go provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support

38 | 39 | ## Request Validations 40 | Total Validation Count: **24** 41 | 42 | GraphQL Ruby validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Lone Anonymous Operation	Fields on Correct Type	Arguments of Correct Type	Fragments on Composite Types	Default Value of Correct Type	Known Directives	No Undefined Variables
Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names	Known Fragment Names	Known Type Names		No Unused Variables
	Scalar Leafs	Provided Non Null Arguments	No Unused Fragments			Unique Variable Names
	Unique Input Field Names	Unique Argument Name	Possible Fragment Spreads			Variables Are Input Types
			Unique Fragment Names			Variables In Allowed position
			No Fragment Cycles

123 | 124 | ## Security Disclosure 125 | Report the issue to @pavelnikolov and/or @tony in the Gophers Slack in a private message. -------------------------------------------------------------------------------- /implementations/graphql-java.md: -------------------------------------------------------------------------------- 1 | # graphql-java 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [java](https://www.oracle.com/java/)\ 12 | Source: [https://github.com/graphql-java/graphql-java](https://github.com/graphql-java/graphql-java)\ 13 | Documentation: [https://www.graphql-java.com/](https://www.graphql-java.com/) 14 | 15 | ## Security Considerations 16 | graphql-java provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **26** 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Arguments Of Correct Type	Fragments On Composite Type	Known Type Names	Known Directives	No Undefined Variables
	Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names	Provided Non Null Arguments	Known Fragment Names		No Unused Variables
		Scalar Leafs	Unique Argument Names Rule	No Fragment Cycles	No Unused Fragments
			Unique Directive Names Per Location	Possible Fragment Spreads			Unique Variable Names Rule
				Unique Fragment Names			Variable Default Values Of Correct Type
							Variable Types Match Rule
							Variables Are Input Types
							Variables Types Matcher

143 | 144 | ## Security Disclosure 145 | https://github.com/graphql-java/graphql-java/issues -------------------------------------------------------------------------------- /implementations/graphql-php.md: -------------------------------------------------------------------------------- 1 | # graphql-php 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/webonyx/graphql-php](https://github.com/webonyx/graphql-php)\ 13 | Documentation: [https://webonyx.github.io/graphql-php/](https://webonyx.github.io/graphql-php/) 14 | 15 | ## Security Considerations 16 | graphql-php provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **37** 41 | 42 | GraphQL PHP validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
Executable Definitions	Lone Anonymous Operation	Fields on Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables	Query Complexity
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names On Directives	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables	Query Depth
		Scalar Leafs	Provided Required Arguments	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names	Disable Introspection
		Single Field Subscription	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types
		Unique Input Field Names	Provided Required Arguments On Directives	Possible Fragment Spreads	Unique Type Names		Variables In Allowed Position
				Unique Fragment Names	Values Of Correct Type

123 | 124 | ## Security Disclosure 125 | https://github.com/webonyx/graphql-php/issues -------------------------------------------------------------------------------- /implementations/graphql-ruby.md: -------------------------------------------------------------------------------- 1 | # graphql-ruby 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Ruby](https://www.ruby-lang.org/en/)\ 12 | Source: [https://github.com/rmosolgo/graphql-ruby](https://github.com/rmosolgo/graphql-ruby)\ 13 | Documentation: [https://graphql-ruby.org/](https://graphql-ruby.org/) 14 | 15 | ## Security Considerations 16 | graphql-ruby provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default	⚠️ Disabled by Default	✅ Enabled by Default	❌ No Support	✅ Enabled by Default

38 | 39 | 40 | ## Request Validations 41 | 42 | Total Validation Count: **28** 43 | 44 | GraphQL Ruby validates the following checks when a query is sent: 45 | 46 | | [Document Validations](https://spec.graphql.org/October2021/#sec-Documents) | [Operation Validations](https://spec.graphql.org/October2021/#sec-Validation.Operations) | [Field Validations](https://spec.graphql.org/October2021/#sec-Validation.Fields) | [Argument Validations](https://spec.graphql.org/October2021/#sec-Validation.Arguments) | [Fragment Validations](https://spec.graphql.org/October2021/#sec-Validation.Fragments) | [Value Validations](https://spec.graphql.org/October2021/#sec-Values) | [Directive Validations](https://spec.graphql.org/October2021/#sec-Validation.Directives) | [Variable Validations](https://spec.graphql.org/October2021/#sec-Validation.Variables) | Misc. Validations | 47 | |----------------------|-----------------------|-------------------|----------------------|---------------------------|--------------------------|------------------------|----------------------|-------------------| 48 | | | [Mutation root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/mutation_root_exists.rb) | [Fields are defined on type](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_are_defined_on_type.rb) | [Argument literals are compatible](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/argument_literals_are_compatible.rb) | [Fragment names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_names_are_unique.rb) | [Input object names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/input_object_names_are_unique.rb) | [Directives are defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/directives_are_defined.rb) | [Variables default values are correctly typed](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_default_values_are_correctly_typed.rb) | [No definitions are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/no_definitions_are_present.rb) | 49 | | | [Operation names are valid](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/operation_names_are_valid.rb) | [Fields have appropriate selections](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_have_appropriate_selections.rb) | [Argument names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/argument_names_are_unique.rb) | [Fragment spreads are possible](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_spreads_are_possible.rb) | [Required input object attributes are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/required_input_object_attributes_are_present.rb) | [Directives are in valid locations](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/directives_are_in_valid_locations.rb) | [Variable names are unique](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_names_are_unique.rb) | | 50 | | | [Query root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/query_root_exists.rb) | [Field will merge](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fields_will_merge.rb) | [Arguments are defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/arguments_are_defined.rb) | [Fragment types exist](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragment_types_exist.rb) | | [Unique directives per location](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/unique_directives_per_location.rb) | [Variable usages are allowed](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variable_usages_are_allowed.rb) | | 51 | | | [Subscription root exists](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/subscription_root_exists.rb) | | [Requried arguments are present](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/required_arguments_are_present.rb) | [Fragements are finite](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_finite.rb) | | | [Variables are input types](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variables_are_input_types.rb) | | 52 | | | | | | [Fragments are named](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_named.rb) | | | [Variables are used and defined](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/variables_are_used_and_defined.rb) | | 53 | | | | | | [Fragments are on composite types](https://github.com/rmosolgo/graphql-ruby/blob/master/lib/graphql/static_validation/rules/fragments_are_on_composite_types.rb) | | | | | 54 | 55 | ## Security Disclosure 56 | https://github.com/rmosolgo/graphql-ruby/issues -------------------------------------------------------------------------------- /implementations/graphql-yoga.md: -------------------------------------------------------------------------------- 1 | # graphql-yoga 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [typescript](https://www.typescriptlang.org/)\ 12 | Source: [https://github.com/dotansimha/graphql-yoga](https://github.com/dotansimha/graphql-yoga)\ 13 | Documentation: [https://www.graphql-yoga.com/](https://www.graphql-yoga.com/) 14 | 15 | ## Security Considerations 16 | graphql-yoga provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support	❌ No Support	⚠️ Disabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **34** 41 | 42 | graphql-yoga is based on [apollo](https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/apollo.md) and [graphql-js](https://github.com/graphql/graphql-js) which validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables
	Unique Operation Types	Scalar Leafs	Unique Argument Definition Names	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names
		Single Field Subscriptions	Unique Argument Names	No Unused Fragments	Unique Type Names		Variables Are Input Types
		Unique Field Definition Names		Possible Fragment Spreads	Values Of Correct Type		Variables In Allowed Position
				Unique Fragment Names	Unique Input Field Names

123 | 124 | ## Security Disclosure 125 | https://github.com/dotansimha/graphql-yoga -------------------------------------------------------------------------------- /implementations/hasura.md: -------------------------------------------------------------------------------- 1 | # Hasura 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Haskell](https://www.haskell.org/)\ 12 | Source: [https://github.com/hasura/graphql-engine](https://github.com/hasura/graphql-engine)\ 13 | Documentation: [https://hasura.io/](https://hasura.io/) 14 | 15 | ## Security Considerations 16 | Hasura provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **XXX** 41 | 42 | Hasura validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations

123 | 124 | ## Security Disclosure 125 | build@hasura.io 126 | -------------------------------------------------------------------------------- /implementations/juniper.md: -------------------------------------------------------------------------------- 1 | # juniper 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [rust](https://www.rust-lang.org/)\ 12 | Source: [https://github.com/graphql-rust/juniper](https://github.com/graphql-rust/juniper)\ 13 | Documentation: [https://graphql-rust.github.io/](https://graphql-rust.github.io/) 14 | 15 | ## Security Considerations 16 | juniper provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
❌ No Support	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **24** 41 | 42 | juniper validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Lone Anonymous Operation	Fields on Correct Type	Arguments of Correct Type	Fragments on Composite Types	Default Values of Correct Type	Known Directives	No Undefined Variables
Unique Operation Names	Overlapping Fields can be Merged/a>	Known Argument Names	Known Fragment Names	Known Type Names		No Unused Variables
	Scalar Leafs	Provided non null arguments	No Fragment Cycles			Unique Variable Names
	Unique Input Field Names	Unique Argument Names	No Unused Fragments			Variables are Input Types
			Possible Fragment Spreads			Variables in Allowed Position
			Unique Fragment Names

123 | 124 | ## Security Disclosure 125 | https://github.com/graphql-rust/juniper/issues -------------------------------------------------------------------------------- /implementations/lighthouse.md: -------------------------------------------------------------------------------- 1 | # Lighthouse 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | 7 | 8 | ## About 9 | Language: 10 | - [PHP](https://www.php.net/) 11 | 12 | Source: [https://github.com/nuwave/lighthouse](https://github.com/nuwave/lighthouse) 13 | 14 | ## Security Considerations 15 | name provides the following features which should be taken into consideration: 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ No Support	⚠️ No Support	⚠️ No Support	⚠️ No Support	✅ Enabled by Default	⚠️ Disabled by Default	✅ No Support

37 | 38 | -------------------------------------------------------------------------------- /implementations/sangria.md: -------------------------------------------------------------------------------- 1 | # Sangria 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [Scala](https://www.scala-lang.org/)\ 12 | Source: [https://github.com/sangria-graphql/sangria](https://github.com/sangria-graphql/sangria)\ 13 | Documentation: [https://sangria-graphql.github.io/learn/](https://sangria-graphql.github.io/learn/) 14 | 15 | ## Security Considerations 16 | Sangria provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | 40 | ## Request Validations 41 | Total Validation Count: **27** 42 | 43 | GraphQL Sangria validates the following checks when a query is sent: 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	Input Document Non Conflicting Variable Inference
	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Values Of Correct Type	Unique Directives Per Location	No Undefined Variables
		Scalar Leafs	Unique Argument Names	No Fragment Cycles			No Unused Variables
		Single Field Subscriptions		No Unused Fragments			Unique Variable Names
		Unique Input Field Names		Possible Fragment Spreads			Variables Are Input Types
				Unique Fragment Names			Variables In Allowed Position

124 | 125 | ## Security Disclosure 126 | https://github.com/sangria-graphql/sangria/issues -------------------------------------------------------------------------------- /implementations/strawberry.md: -------------------------------------------------------------------------------- 1 | # Strawberry 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: 13 | - [https://github.com/strawberry-graphql/strawberry](https://github.com/strawberry-graphql/strawberry) 14 | - [https://github.com/graphql-python/graphql-core](https://github.com/graphql-python/graphql-core) 15 | 16 | Documentation: [https://strawberry.rocks/](https://strawberry.rocks/) 17 | 18 | ## Security Considerations 19 | Strawberry provides the following features which should be taken into consideration: 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	❌ No Support

41 | 42 | ## Request Validations 43 | Total Validation Count: **34** 44 | 45 | Strawberry is based on [graphql-core](https://github.com/graphql-python/graphql-core) which validates the following checks when a query is sent: 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Executable Definitions	Lone Anonymous Operation	Fields On Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Provided Required Arguments	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables
		Scalar Leafs	Unique Argument Definition Names	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names
		Single Field Subscriptions	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types
		Unique Field Definition Names	Possible Fragment Spreads		Unique Type Names		Variables In Allowed Position
		Unique Input Field Names	Unique Fragment Names		Values Of Correct Type

126 | 127 | ## Security Disclosure 128 | https://github.com/strawberry-graphql/strawberry/issues -------------------------------------------------------------------------------- /implementations/tartiflette.md: -------------------------------------------------------------------------------- 1 | # tartiflette 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [python](https://www.python.org/)\ 12 | Source: [https://github.com/tartiflette/tartiflette](https://github.com/tartiflette/tartiflette)\ 13 | Documentation: [https://tartiflette.io/](https://tartiflette.io/) 14 | 15 | ## Security Considerations 16 | Tartiflette provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
❌ No Support	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	❌ No Support	❌ No Support

38 | 39 | *Despite Tartiflette not having basic security support, it does provide rate limits on a per field basis.* 40 | 41 | ## Request Validations 42 | Total Validation Count: **26** 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations
Single Root Field	Lone Anonymous Operation	Field Selections on Objects Interfaces and Unions Types	Argument Names	Fragment Must be Used	Values of Correct Type	Directives are Defined	All Variable Usages are Allowed
Executable Definitions	Operation Name Uniqueness	Input Object Field Uniqueness	Argument Uniqueness	Fragment Name Uniqueness		Directives are in Valid Locations	All Variable uses Defined
		Leaf Field Selections	Required Arguments	Fragment Spread is Possible		Directives are Unique per Location	All Variables Used
				Fragment Spread Target Defined			Variable Uniqueness
				Fragment Spread Type Existence			Variables are Input Types
				Fragment Spreads Must Not Form Cycles
				Fragments on Composite Types

134 | 135 | ## Security Disclosure 136 | https://github.com/tartiflette/tartiflette/issues 137 | -------------------------------------------------------------------------------- /implementations/template.md: -------------------------------------------------------------------------------- 1 | # name 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: []()\ 12 | Source: []()\ 13 | Documentation: []() 14 | 15 | ## Security Considerations 16 | name provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **XXX** 41 | 42 | name validates the following checks when a query is sent: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations

123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 |

CVE ID	Date	Score	Description

146 | 147 | ## Security Disclosure 148 | url -------------------------------------------------------------------------------- /implementations/wp-graphql.md: -------------------------------------------------------------------------------- 1 | # wp-graphql 2 | 3 | ### Table of Contents 4 | * [About](#About) 5 | * [Security Considerations](#Security-Considerations) 6 | * [Request Validations](#Request-Validations) 7 | * [Notable Vulnerabilities](#Notable-Vulnerabilties) 8 | * [Security Disclosure](#Security-Disclosure) 9 | 10 | ## About 11 | Language: [php](https://www.php.net/)\ 12 | Source: [https://github.com/wp-graphql/wp-graphql](https://github.com/wp-graphql/wp-graphql)\ 13 | Documentation: [https://www.wpgraphql.com/](https://www.wpgraphql.com/) 14 | 15 | ## Security Considerations 16 | wp-graphql provides the following features which should be taken into consideration: 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 |

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	❌ No Support	⚠️ Disabled by Default

38 | 39 | ## Request Validations 40 | Total Validation Count: **38** 41 | 42 | wp-graphql is based on [graphql-php](https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/graphql-php.md) which validates the checks below as well as extra validations: 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 |

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
Executable Definitions	Lone Anonymous Operation	Fields on Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables	Query Complexity
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names On Directives	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables	Query Depth
		Scalar Leafs	Provided Required Arguments	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names	Disable Introspection
		Single Field Subscription	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types	Require Authentication
		Unique Input Field Names	Provided Required Arguments On Directives	Possible Fragment Spreads	Unique Type Names		Variables In Allowed Position
				Unique Fragment Names	Values Of Correct Type

123 | 124 | ## Notable Vulnerabilities 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 |

CVE ID	Date	Score	Description
CVE-2019-9881	2019-06-10	5.0	The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
CVE-2019-9880	2019-06-10	6.4	An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
CVE-2019-9879	2019-06-10	7.5	The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.

152 | 153 | ## Security Disclosure 154 | https://github.com/wp-graphql/wp-graphql/issues -------------------------------------------------------------------------------- /static/graphql-threat-matrix-v1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicholasaleks/graphql-threat-matrix/64f6b926cf6a177d4aed01593573abd7fbde8d17/static/graphql-threat-matrix-v1.png -------------------------------------------------------------------------------- /static/graphql-threat-matrix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicholasaleks/graphql-threat-matrix/64f6b926cf6a177d4aed01593573abd7fbde8d17/static/graphql-threat-matrix.png --------------------------------------------------------------------------------

2 | 3 | 4 |

7 | GraphQL Threat Matrix 8 |

2 | 3 |
4 |