String scalar in input has no minimum length defined
Issue ID: graphql-data-input-string-scalar-min-needed
Description
A string scalar used in an input position has no minimum length specified. While GraphQL ensures the value is a string, it does not enforce whether empty or very short values are acceptable.
For more details, see the GraphQL constraints specification.
Possible exploit scenario
Without an explicit minLength or equivalent constraint, clients may submit:
- Empty strings (
"") - Values consisting only of whitespace
- Trivially short values
For certain fields, such as usernames, passwords, search terms, or identifiers, this may lead to:
- Business logic inconsistencies
- Unexpected application behavior
- Validation gaps between different services
- Increased need for resolver-level checks
Unlike missing maximum length constraints, missing minimum length constraints are typically less likely to cause direct security issues. However, defining a minimum length improves data consistency and reduces edge-case ambiguity.
Remediation
Define minLength or equivalent constraints for string scalars where business logic requires non-empty or meaningful values. We recommend that you:
- Use
minLength: 1to prevent empty strings when appropriate - Apply stronger minimum constraints for:
- Passwords
- Usernames
- Identifiers
- Align minimum length requirements with business rules
Explicit minimum constraints improve data quality and reduce ambiguity in API contracts.