Insecure Use of GraphQL Upload
Description
The Apollo GraphQL server is using the graphql-upload library, which allows file uploads using POSTs with content-type: multipart/form-data. This can enable CSRF attacks if CSRF protection is not enabled.
Examples
Insecure Code
js
app.use(graphqlUploadExpress());Secure Code
js
app.use(csrfProtection()); app.use(graphqlUploadExpress());Remediation
Enable CSRF protection when using the graphql-upload library.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0808 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-352 |
| Confidence | LOW |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | csrf, graphql-upload |
| OWASP | N/A |