Skip to content

Add GraphQL operation control evidence gates#1554

Open
alejandrorivas-pixel wants to merge 1 commit into
UnitOneAI:mainfrom
alejandrorivas-pixel:improve/api-graphql-operation-gates
Open

Add GraphQL operation control evidence gates#1554
alejandrorivas-pixel wants to merge 1 commit into
UnitOneAI:mainfrom
alejandrorivas-pixel:improve/api-graphql-operation-gates

Conversation

@alejandrorivas-pixel
Copy link
Copy Markdown

@alejandrorivas-pixel alejandrorivas-pixel commented Jun 7, 2026

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: api-security
Skill path: skills/appsec/api-security/

What Was Wrong

Issue #1553 documents that the skill mentions GraphQL depth, complexity, batching, and aliases, but does not require reviewers to preserve runtime evidence for operation count, alias fan-out, persisted-query enforcement, resolver cost calibration, subscriptions, or federation/subgraph parity.

What This PR Fixes

  • Adds GraphQL operation-control context requirements to the API inventory step.
  • Adds a structured GraphQL Operation Controls output table.
  • Adds evidence gates for operation/batch limits, aliases, depth/complexity, resolver costs, persisted-query/safelist behavior, introspection/playground exposure, subscriptions/live queries, and federation/subgraph parity.
  • Adds GQL-OPS-01 through GQL-OPS-08 findings and false-positive guardrails.
  • Expands the API4 checklist with GraphQL operation-control checks.
  • Adds benign and vulnerable fixtures for persisted controls, alias/batch fan-out, raw-query bypass, and default-cost expensive resolvers.

Evidence

Before:

- GraphQL queries have depth limits, complexity limits, and batch restrictions.

After:

GQL-OPS-01: GraphQL batching or multiple operations per request bypasses rate limits
GQL-OPS-05: Persisted-query/safelist policy can be bypassed with raw query documents

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing markdown structure still validates locally

Validation

  • git diff --check
  • git diff --cached --check
  • Markdown fence-balance check across touched files and fixtures
  • ASCII-only check across touched files and fixtures
  • Marker checks for GQL-OPS-01 through GQL-OPS-08, GraphQL Operation Controls, persisted-query, resolver cost, and federation
  • Added-line prompt-injection/secret-pattern scan
  • Official reference URL checks returned HTTP 200 for OWASP GraphQL Cheat Sheet and OWASP API Security Top 10:2023

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: Payment details can be provided privately after maintainer acceptance.

Closes #1553

@alejandrorivas-pixel alejandrorivas-pixel mentioned this pull request Jun 7, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] api-security: add GraphQL batching, alias, and persisted-query evidence gates

2 participants

@alejandrorivas-pixel @Angel-Garcia21