Outdated ApolloServer option 'schemaDirectives'
Description
The Apollo GraphQL uses the 'schemaDirectives' option, which works in ApolloServer v2 but does nothing in version >=3. Depending on what the directives are used for, this can expose authenticated endpoints, disable rate limiting, and more.
Examples
Insecure Code
js
new ApolloServer({ schemaDirectives: {...} })Secure Code
js
Create custom directives as described in the Apollo GraphQL documentation: https://www.apollographql.com/docs/apollo-server/schema/directives/#custom-directivesRemediation
Update to custom directives in ApolloServer v3 and v4 as described in the Apollo GraphQL documentation
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0651 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-686 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | apollo-server, graphql, deprecated-option |
| OWASP | N/A |