Security: GraphQL injection in fetchTypeDetails via string interpolation #320
Description
Summary
fetchTypeDetails() in apps/graphql/src/tools/graphql.tools.ts constructs a GraphQL query by interpolating the typeName parameter directly into the query string:
const typeDetailsQuery = `
query TypeDetails {
__type(name: "${typeName}") {A crafted type name containing ") can break out of the string argument and inject arbitrary GraphQL syntax.
Attack Example
typeName = '") { name } } # injected'
This produces:
query TypeDetails {
__type(name: "") { name } } # injected") {
...The attacker's payload executes as valid GraphQL, while the original query after the # becomes a comment.
Impact
- Schema introspection bypass (dump types not intended for the tool)
- Potential to craft queries that extract data from fields the tool wasn't designed to expose
- While limited to Cloudflare's read-only GraphQL API, it circumvents the tool's intended scope
Suggested Fix
Use a GraphQL variable instead of string interpolation:
query TypeDetails($typeName: String!) {
__type(name: $typeName) {The codebase already has executeGraphQLQuery() which supports variables — this pattern should be applied consistently.