String scalar in input has no maximum length defined

Issue ID: graphql-data-input-string-scalar-maxlength-needed

Average severity: High

Description

A string scalar used in an input position has no maximum length specified. While GraphQL ensures that a value is a string, it does not impose any size limit.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without an explicit maxLength or equivalent constraint, clients may submit arbitrarily large strings. Attackers could attempt to submit excessively large payloads that:

Consume excessive memory when parsing or validating
Trigger expensive downstream processing
Overload database fields, causing errors
Cause log amplification
Increase response time and degrade availability
Amplify injection attempts by embedding very large malicious payloads

Even if the backend eventually rejects the input, repeated large payload submissions can contribute to denial-of-service conditions. In addition, long strings increase the likelihood and impact of injection attacks, especially when combined with weak validation logic. The API might also become unstable or slow under sustained attack.

Remediation

Set both the minLength and maxLength or equivalent constraints for string scalars to limit the accepted strings to the range that works for your application. We recommend that you:

Always define maxLength for input strings
Keep limits aligned with backend storage and business rules
Avoid relying solely on resolver-level validation

Explicit maximum length constraints significantly reduce abuse potential and improve API robustness.