# GraphQL Injection / Unsafe Query Construction

- ID: python-graphql-injection
- Severity: HIGH
- CWE: SQL Injection (CWE-89)
- Languages: Python
- Frameworks: graphene, ariadne, strawberry

## Description

Detects unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introspection in production. These can lead to injection
attacks, DoS via deeply nested queries, or information disclosure.

## Remediation

Use parameterized queries with variables instead of string formatting; disable introspection in production.

```python
import graphene

class Query(graphene.ObjectType):
    user = graphene.Field(User, id=graphene.String(required=True))

    def resolve_user(self, info, id):
        return User.objects.get(pk=id)  # Use parameter, not f-string

# Client sends: query GetUser($id: String!) { user(id: $id) { name } }
# With variables: {"id": "123"}
```

Learn more: https://shoulder.dev/learn/python/cwe-89/graphql-injection

## Documentation

[object Object]

## Related Rules

- **SQL Injection via Database Queries** [CRITICAL]: 
- **SQL Injection via Database Queries** [CRITICAL]: 
- **Prisma Raw Query SQL Injection** [CRITICAL]: 
- **SQL Injection via Database Queries** [CRITICAL]: 
- **TypeORM SQL Injection in Raw Query** [CRITICAL]: