CVE-2023-49559 - gqlparser < 2.5.13 directive overload denial of service

gistfile1.txt

**********************************************************************
CVE-2023-49559 - gqlparser < 2.5.13 directive overload denial of service
Credit: Yuval Moravchick, Security Researcher @ Cato Networks
***********************************************************************

The gqlparser library usesd by the Gqlgen GraphQL server was found vulnerable to a directive overload that can cause system resource exhaustion.

Since is no limit on the amount of directives that can be given as input inside the GraphQL query in the HTTP requests,
adding a large amount of non-existing directives can increase significantly the processing time of the query and response size, hence sending similar requests with the payload at the same time can cause a DoS condition on the server.

The issue is in the parseDirectives function at:
https://github.com/vektah/gqlparser/blob/master/parser/query.go#L316
 
Let's say that you have a valid GraphQL query"

query {
  user {
    name
  }
}

modify it so it will have many non-existing directives, e.g.:

query {
  user @aa @aa @aa ... {
    name
  }
}
 
Replace "..." with as many @aa as you need. The more you add, the larger the response size and time processed.

A temporary fix in version 2.5.13 of gqlparser is to limit the number of tokens in a request to 15,000:
https://github.com/vektah/gqlparser/releases/tag/v2.5.13

It is configured by the usesr in version v2.5.15 and above.

The fix was merged in Gqlgen v0.17.49.