Does file uploads in graphql-yoga has any security threats to the application?

[Sooryajagadeesan]

In the graphql-yoga documentation, in file uploads page, there is no mentioning about the security threats with file uploads in graphql-yoga, But with apollo/server, they are not suggesting file uploads with apollo/server package. And another point to note is that, graphql-yoga uses a scalar called File and apollo/server uses a scalar called Upload for the file field in the schema.

Does graphql-yoga really has no security issues with file uploads or is it not mentioned in the docs ?

[ardatan]

Apollo Server doesn't handle multipart requests by itself. Node specific graphql-upload parses the multipart request and passes it to Apollo Server, and it is too late for Apollo Server to do the checks for CSRF prevention.
In GraphQL Yoga, we parse multipart requests on our own and CSRF prevention plugin runs before request parsing. So this vulnerability is not a case for Yoga.
Scalar name doesn't matter. It can be Arda, Dotan or Saihaj, it is up to you. We prefer File because Web standard File interface is used in GraphQL Yoga instead of custom objects called Upload.
https://developer.mozilla.org/en-US/docs/Web/API/File

[Sooryajagadeesan]

Got it, Thanks for the reply @ardatan