List in input has no minimum number of items defined
Issue ID: graphql-data-input-list-min-items-needed
Description
A list used in an input position does not specify the minimum number of items it must have. GraphQL allows empty arrays unless explicitly constrained.
For more details, see the GraphQL constraints specification.
Possible exploit scenario
Without a minItems or equivalent constraint, clients may submit empty lists even when business logic expects at least one element. If no minimum constraint is defined, the API may accept:
- Empty batch operations
no-opmutations- Ambiguous requests
- Input that is logically not valid
While this does not typically introduce a direct security vulnerability, it may lead to:
- Inconsistent behavior across services
- Increased need for resolver-level validation
- Unexpected execution paths
- Reduced clarity in API contracts
Remediation
Define explicit minimum size constraints for input list types where business logic requires at least one element. We recommend that you:
- Use
minItems: 1or equivalent constraint when empty lists are not meaningful - Combine
minItemsandmaxItemsfor stronger contract definition - Align list constraints with documented business behavior
- Avoid relying solely on resolver-level validation
Defining a minimum number of items improves schema precision, data consistency and contract clarity, and it ensures business rules are clearly expressed at the API boundary.