Input has no cost weight defined

Issue ID: graphql-cost-input-weight-needed

Average severity: Medium

Description

A @cost or equivalent directive has no weight argument defined. This could be because the weight argument is missing, it is empty, or it is not a valid numeric value encoded as a string argument.

Because the sole purpose of a cost directive is to define the weight used in cost analysis, each cost directive must define a weight argument.

For more details, see the IBM cost directive specification, or documentation for the equivalent implementation for your framework.

Possible exploit scenario

If the weight value is absent or malformed, the cost engine typically ignores the annotation or falls back to a default of zero, causing systematic underestimation of execution cost. Attackers could target arguments or input fields that trigger expensive execution paths even though the cost directive is present, because its weight is silently ignored. Cost-based protection mechanisms, such as query cost limits, throttling, or rate limiting, would calculate an underestimated cost and allow repeated heavy queries to pass through, degrading availability.

Remediation

Ensure that every cost directive on an input construct includes a valid, parseable numeric weight encoded as a string ("12.5" instead of 12.5). Validate the directive at when loading the schema and reject schemas that have a cost directive without a parseable weight.