Update database.yml by jordan-dr · Pull Request #82

Update database.yml by jordan-dr · Pull Request #82 · DryRunSecurity/rails-projects

🔴 Risk threshold exceeded.

This pull request introduces critical security vulnerabilities, including a complete authorization bypass in the GraphQL mutations that allows any user to perform actions without permission checks, and the inclusion of hardcoded database credentials that could enable unauthorized database access.

⚠️ Potential IDOR Vulnerability in app/graphql/mutations/base_mutation.rb

Vulnerability	Potential IDOR Vulnerability
Description	The `authorized?` method always returns `true`, effectively bypassing any authorization checks. The commented-out code suggests a proper authorization mechanism was intended but is currently disabled, leaving the method vulnerable to IDOR.

rails-projects/app/graphql/mutations/base_mutation.rb

Lines 7 to 16 in d854445


	def self.authorize(action, resource_class)
	define_method(:authorized?) do
	true
	# resource = resource_class.find(arguments[:id])
	# context[:current_ability].authorize!(action, resource)
	end
	end
	end
	end

✨ Code Policies (2)

Policy	hardcoded-creds
Result	Yes, the change includes a hard-coded password value "lsjdfa8u4uqf" directly embedded in the database configuration file. Guidance: refer issues to the security team

Policy	graphql-auth-check
Result	The code change completely bypasses authentication by modifying the `authorize` method to always return `true`, removing all resource-level authorization checks. This means any user can perform any mutation without proper permission verification.

💭 Unconfirmed Findings (2)

Vulnerability	Authorization Bypass in BaseMutation
Description	A critical security vulnerability in the base mutation class where an unconditional `true` return in the `authorize` method completely disables all authorization checks, allowing any user to perform any mutation without proper permission verification. Located in app/graphql/mutations/base_mutation.rb.

Vulnerability	Hardcoded Database Credentials
Description	A significant security risk where the database password 'lsjdfa8u4uqf' is directly embedded in the config/database.yml configuration file. This exposes sensitive credentials and could potentially allow unauthorized database access.

All finding details can be found in the DryRun Security Dashboard.