ZAP – GraphQL Circular Type Reference

Details
Alert ID	50007-3
Alert Type	Tool
Status	alpha
Risk	Informational
CWE	16
WASC	15
Technologies Targeted	All
Tags	CWE-16 OWASP_2021_A04 OWASP_2023_API4 WSTG-V42-APIT-01
More Info	Scan Rule Help

Summary

A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions.

Solution

Consider restructuring the schema to avoid circular references. Use IDs or foreign keys instead of direct object references. Enforce query depth limits and use pagination to control deep nested queries.

Other Info

Query -> (Organization -> Repository -> PullRequest -> Commit -> Organization)

References

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#dos-prevention

Code

org/zaproxy/addon/graphql/ExtensionGraphQl.java