# Graphql (Node.js) Security

Security vulnerabilities and detection rules for graphql framework. 4 rules across 4 CWE categories.

- Total rules: 4
- CWE categories: 4
- Critical rules: 3

## CWEs

- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

## Rules

- **Command Injection via child_process** [CRITICAL]: Detects user input flowing to shell command execution functions.
- **Path Traversal in File Operations** [CRITICAL]: Detects untrusted user input used in file system operations without proper validation.
This can allow attackers to read or write arbitrary files on the server.
- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing into SQL queries without parameterization.
- **Cross-Site Scripting (XSS) via Response** [HIGH]: Detects user input flowing into HTTP responses without proper encoding or sanitization.