graphql-php.md

graphql-php

Table of Contents

• About
• Security Considerations
• Request Validations
• Notable Vulnerabilities
• Security Disclosure

About

Language: php
Source: https://github.com/webonyx/graphql-php
Documentation: https://webonyx.github.io/graphql-php/

Security Considerations

graphql-php provides the following features which should be taken into consideration:

Field Suggestions	Query Depth Limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default	❌ No Support	✅ Enabled by Default	⚠️ Disabled by Default	⚠️ Disabled by Default

Request Validations

Total Validation Count: 37

GraphQL PHP validates the following checks when a query is sent:

Document Validations	Operation Validations	Field Validations	Argument Validations	Fragment Validations	Value Validations	Directive Validations	Variable Validations	Misc. Validations
Executable Definitions	Lone Anonymous Operation	Fields on Correct Type	Known Argument Names	Fragments On Composite Types	Known Type Names	Known Directives	No Undefined Variables	Query Complexity
Lone Schema Definition	Unique Operation Names	Overlapping Fields Can Be Merged	Known Argument Names On Directives	Known Fragment Names	Possible Type Extensions	Unique Directive Names	No Unused Variables	Query Depth
		Scalar Leafs	Provided Required Arguments	No Fragment Cycles	Unique Enum Value Names	Unique Directives Per Location	Unique Variable Names	Disable Introspection
		Single Field Subscription	Unique Argument Names	No Unused Fragments	Unique Operation Types		Variables Are Input Types
		Unique Input Field Names	Provided Required Arguments On Directives	Possible Fragment Spreads	Unique Type Names		Variables In Allowed Position
				Unique Fragment Names	Values Of Correct Type

Security Disclosure

https://github.com/webonyx/graphql-php/issues