/** * Copyright (c) 2025 Ofri Peretz * Licensed under the MIT License. Use of this source code is governed by the * MIT license that can be found in the LICENSE file. */ /** * ESLint Rule: no-graphql-injection * Detects GraphQL injection vulnerabilities and DoS attacks (CWE-89, CWE-400) * * GraphQL injection occurs when user input is improperly inserted into GraphQL * queries, allowing attackers to: * - Read/modify unauthorized data * - Perform DoS attacks with complex queries * - Extract schema information via introspection * * False Positive Reduction: * This rule uses security utilities to reduce false positives by detecting: * - Safe GraphQL libraries (apollo-server, graphql-tools) * - Proper query builders and sanitizers * - JSDoc annotations (@safe, @validated) * - Input validation functions */ import type { TSESLint } from '@interlace/eslint-devkit'; import { type SecurityRuleOptions } from '@interlace/eslint-devkit'; type MessageIds = 'graphqlInjection' | 'introspectionQuery' | 'complexQueryDos' | 'unsafeVariableInterpolation' | 'missingInputValidation' | 'useQueryBuilder' | 'disableIntrospection' | 'limitQueryDepth' | 'strategyQueryBuilder' | 'strategyInputValidation' | 'strategyIntrospection'; export interface Options extends SecurityRuleOptions { /** Allow introspection queries. Default: false (security-first) */ allowIntrospection?: boolean; /** Maximum allowed query depth. Default: 10 */ maxQueryDepth?: number; /** GraphQL libraries to consider safe */ trustedGraphqlLibraries?: string[]; /** Functions that validate GraphQL input */ validationFunctions?: string[]; /** * Callers where template literals should never be treated as GraphQL. * Format: 'object.method' for member calls (e.g. 'console.log'), * or 'ClassName' for constructors (e.g. 'URL', 'Error'). * These are merged with built-in safe callers. */ safeTemplateLiteralCallers?: string[]; } type RuleOptions = [Options?]; export declare const noGraphqlInjection: TSESLint.RuleModule & { name: string; }; export {};