String scalar in input has no pattern defined

Issue ID: graphql-data-input-string-scalar-pattern-needed

Average severity: Critical

Description

A string scalar used in an input position has no pattern constraint defined. While GraphQL ensures that the value is a string, it does not enforce any structural or semantic constraints to it.

For more details, see the GraphQL constraints specification.

Possible exploit scenario

Without a pattern or equivalent structural validation rule, the API accepts any sequence of characters within the allowed length.

String inputs frequently represent structured data, such as email addresses, usernames, or URLs. Without a pattern constraint, these fields may accept:

Unexpected characters
Control characters
Encoded payloads
Injection primitives
Invalid structural formats

Attackers could submit malicious input containing special characters or crafted payloads. This increases the risk of:

SQL or NoSQL injection
Command injection
Log injection
Template injection
Path traversal
Downstream parser abuse
Business logic bypass

Even if injection is ultimately mitigated, lack of structural constraints significantly increases the likelihood of exploitable mistakes and thus the attack surface.

Remediation

Define a strict pattern constraint that matches your requirements for string scalars, especially for structured string inputs. This ensures that only strings matching the set pattern get passed to your API. We recommend that you:

Define patterns for all structured string types
Prefer whitelist-style regular expressions (allowed characters) over blacklist rules
Keep patterns aligned with business requirements
Avoid overly permissive patterns such as .*

A well-defined pattern significantly reduces injection risk, improves data integrity, and strengthens API contract clarity. It also enforces structural expectations at the schema boundary and reduces reliance on resolver-level validation.

We recommend that you carefully think what kind of regular expression best matches your needs. Do not simply blindly copy the pattern from the code example.

Remember to include the anchors ^ and $ in your regular expression, otherwise the overall length of the pattern could be considered infinite. If you include the anchors in the regular expression and the pattern only has fixed or constant quantifiers (like {10,64}, for example), you do not have to define the property maxLength separately for the object, as the length is fully constrained by the pattern. However, if the regular expression does not include the anchors or its quantifiers are not fixed (like in ^a.*b$), it can be considered to be just a part of a longer string and the property maxLength is required to constrain the length.

For more information on regular expressions, see the following:

Language-agnostic information on regular expressions at Base Definitions page on regular expressions
OWASP Validation Regex Repository
RegExr, an online tool for building and testing regular expressions

The following are examples of regular expressions for some common elements:

Element	Examples of regular expressions	Examples with escape
Alphanumeric string	String with spaces: `^[a-zA-Z0-9 ]$` String without space `^[a-zA-Z0-9]$`	—
Base64‑encoding (for an image)	`^data:image\/(?:gif\|png\|jpeg\|bmp\|webp)(?:;charset=utf-8)?;base64,(?:[A-Za-z0-9]\|[+/])+={0,2}$`	`^data:image\\/(?:gif\|png\|jpeg\|bmp\|webp)(?:;charset=utf-8)?;base64,(?:[A-Za-z0-9]\|[+/])+={0,2}$`
Date and time	Date as YYYY-MM-DD, only `-` as separator: `^([12]\d{3}-(0[1-9]\|1[0-2])-(0[1-9]\|[12]\d\|3[01]))$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator: `^(?:(?:31(\/\|-\|\.)(?:0?[13578]\|1[02]\|(?:Jan\|Mar\|May\|Jul\|Aug\|Oct\|Dec)))\1\|(?:(?:29\|30)(\/\|-\|\.)(?:0?[1,3-9]\|1[0-2]\|(?:Jan\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec))\2))(?:(?:1[6-9]\|[2-9]\d)?\d{2})$\|^(?:29(\/\|-\|\.)(?:0?2\|(?:Feb))\3(?:(?:(?:1[6-9]\|[2-9]\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\d\|2[0-8])(\/\|-\|\.)(?:(?:0?[1-9]\|(?:Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep))\|(?:1[0-2]\|(?:Oct\|Nov\|Dec)))\4(?:(?:1[6-9]\|[2-9]\d)?\d{2})$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator, checks for leap years: `^(?:(?:31(\/\|-\|\.)(?:0?[13578]\|1[02]))\1\|(?:(?:29\|30)(\/\|-\|\.)(?:0?[1,3-9]\|1[0-2])\2))(?:(?:1[6-9]\|[2-9]\d)?\d{2})$\|^(?:29(\/\|-\|\.)0?2\3(?:(?:(?:1[6-9]\|[2-9]\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\d\|2[0-8])(\/\|-\|\.)(?:(?:0?[1-9])\|(?:1[0-2]))\4(?:(?:1[6-9]\|[2-9]\d)?\d{2})$` Time as HH:MM, 24-hour clock, leading 0: `^(0[0-9]\|1[0-9]\|2[0-3]):[0-5][0-9]$` Time as HH:MM, 12-hour clock, leading 0 optional, AM/PM: `^((1[0-2]\|0?[1-9]):([0-5][0-9]) ?([AaPp][Mm]))$` Time as HH:MM:SS, 24-hour clock: `^(?:[01]\d\|2[0123]):(?:[012345]\d):(?:[012345]\d)$`	Date as YYYY-MM-DD, only `-` as separator: `^([12]\\d{3}-(0[1-9]\|1[0-2])-(0[1-9]\|[12]\\d\|3[01]))$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator: `^(?:(?:31(\\/\|-\|\\.)(?:0?[13578]\|1[02]\|(?:Jan\|Mar\|May\|Jul\|Aug\|Oct\|Dec)))\\1\|(?:(?:29\|30)(\\/\|-\|\\.)(?:0?[1,3-9]\|1[0-2]\|(?:Jan\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec))\\2))(?:(?:1[6-9]\|[2-9]\\d)?\d{2})$\|^(?:29(\\/\|-\|\\.)(?:0?2\|(?:Feb))\\3(?:(?:(?:1[6-9]\|[2-9]\\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\\d\|2[0-8])(\\/\|-\|\\.)(?:(?:0?[1-9]\|(?:Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep))\|(?:1[0-2]\|(?:Oct\|Nov\|Dec)))\\4(?:(?:1[6-9]\|[2-9]\\d)?\\d{2})$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator, checks for leap years: `^(?:(?:31(\\/\|-\|\\.)(?:0?[13578]\|1[02]))\\1\|(?:(?:29\|30)(\\/\|-\|\\.)(?:0?[1,3-9]\|1[0-2])\\2))(?:(?:1[6-9]\|[2-9]\\d)?\d{2})$\|^(?:29(\\/\|-\|\\.)0?2\\3(?:(?:(?:1[6-9]\|[2-9]\\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\\d\|2[0-8])(\\/\|-\|\\.)(?:(?:0?[1-9])\|(?:1[0-2]))\\4(?:(?:1[6-9]\|[2-9]\\d)?\\d{2})$` Time as HH:MM, 24-hour clock, leading 0: `^(0[0-9]\|1[0-9]\|2[0-3]):[0-5][0-9]$` Time as HH:MM, 12-hour clock, leading 0 optional, AM/PM: `^((1[0-2]\|0?[1-9]):([0-5][0-9]) ?([AaPp][Mm]))$` Time as HH:MM:SS, 24-hour clock: `^(?:[01]\\d\|2[0123]):(?:[012345]\\d):(?:[012345]\\d)$`
Duration	`^\d+:\d{2}:\d{2}$`	`^\\d+:\\d{2}:\\d{2}$`
Email address (common format)	`^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,5})$`	`^([a-z0-9_\\.-]+)@([\\da-z\\.-]+)\\.([a-z\\.]{2,5})$`
File	File path: `^((\/\|\\\|\/\/\|https?:\\\\\|https?:\/\/)[a-z0-9 _@\-^!#$%&+={}.\/\\\[\]]+)+\.[a-z]+$/` File name, with 3-letter extension: `^[\w,\s-]+\.[A-Za-z]{3}$`	File path: `^((\\/\|\\\\\|\\/\\/\|https?:\\\\\\\\\|https?:\\/\\/)[a-z0-9 _@\\-^!#$%&+={}.\\/\\\\\\[\\]]+)+\\.[a-z]+$/` File name, with 3-letter extension: `^[\\w,\\s-]+\\.[A-Za-z]{3}$`
IP address	IPv4: `^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$` IPv6: ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))$	IPv4: `^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$` IPv6: ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))$
Numbers	Positive whole numbers: `^\d+$/` Negative and positive whole and decimal numbers: `^-?\d*(\.\d+)?$`	Positive whole numbers: `^\\d+$/` Negative and positive whole and decimal numbers: `^-?\\d*(\\.\\d+)?$`
Password constraints	Password that has: At least 10 but no more than 64 characters At least one digit At least one lowercase letter At least one uppercase letter At least one special character `^(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[*.!@$%^&(){}[]:;<>,.?/~_+-=\|\]).{10,64}$`	`^(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[*.!@$%^&(){}[]:;<>,.?/~_+-=\|\\]).{10,64}$`
Phone number	International phone number, country code optional: `^(?:(?:$?(?:00\|\+)([1-4]\d\d\|[1-9]\d?)$?)?[\-\.\ \\\/]?)?((?:$?\d{1,}$?[\-\.\ \\\/]?){0,})(?:[\-\.\ \\\/]?(?:#\|ext\.?\|extension\|x)[\-\.\ \\\/]?(\d+))?$` Use libraries instead or regular expressions to validate phone numbers whenever possible.	`^(?:(?:\$?(?:00\|\\+)([1-4]\\d\\d\|[1-9]\\d?)\$?)?[\\-\\.\\ \\\\\\/]?)?((?:\$?\\d{1,}\$?[\\-\\.\\ \\\\\\/]?){0,})(?:[\\-\\.\\ \\\\\\/]?(?:#\|ext\\.?\|extension\|x)[\\-\\.\\ \\\\\\/]?(\\d+))?$`
URL/URI (with protocol optional)	`^(https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)$`	`^(https?:\\/\\/)?(www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)$`
UUID	`^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$`	—