graphql-go.md

graphql-go

Table of Contents

• About
• Security Considerations
• Request-Validations
• Notable Vulnerabilities
• Security Disclosure

About

Language: go
Source: https://github.com/graphql-go/graphql
Documentation: https://pkg.go.dev/github.com/graphql-go/graphql

Security Considerations

graphql-go provides the following features which should be taken into consideration:

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	❌ No Support	❌ No Support	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	❌ No Support

Request Validations

Total Validation Count: 24

GraphQL Ruby validates the following checks when a query is sent:

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
	Lone Anonymous Operation	Fields on Correct Type	Arguments of Correct Type	Fragments on Composite Types	Default Value of Correct Type	Known Directives	No Undefined Variables
	Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names	Known Fragment Names	Known Type Names		No Unused Variables
		Scalar Leafs	Provided Non Null Arguments	No Unused Fragments			Unique Variable Names
		Unique Input Field Names	Unique Argument Name	Possible Fragment Spreads			Variables Are Input Types
				Unique Fragment Names			Variables In Allowed position
				No Fragment Cycles

Security Disclosure

Report the issue to @pavelnikolov and/or @tony in the Gophers Slack in a private message.