Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Summary

A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled (which is the default configuration) by naming your query/fragment __schema.

Details

At the start of the computeComplexity function, we have the following check for ignoreIntrospection option:

    if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') {
      return 0;
    }

However, the node can be FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode

So, for example, sending the following query

query hello {
  books {
    title
  }
}

would create an OperationDefinitionNode with node.name.value == 'hello'

The proper way to handle this would be to check for the __schema field, which would create a FieldNode.

The fix is

    if (
      this.config.ignoreIntrospection &&
      'name' in node &&
      node.name?.value === '__schema' &&
      node.kind === Kind.FIELD
    ) {
      return 0;
    }

to assert that the node must be a FieldNode

PoC

query  {
  ...__schema
}

fragment __schema on Query {
  books {
    title
    author
  }
}

query __schema {
  books {
    title
    author
  }
}

Impact

Applications using GraphQL Armor Cost Limit plugin with ignoreIntrospection enabled.

Fix:

Fixed on 772. A quick patch would be to set ignoreIntrospection to false.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Fix:

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits