🔴 Risk threshold exceeded.
This pull request introduces two critical security vulnerabilities: hardcoded database credentials that could enable unauthorized access, and a GraphQL authorization bypass that allows unrestricted access to all mutations by unconditionally returning true in the base authentication method.
✨ Code Policies (2)
| Policy |
hardcoded-creds |
| Result |
The configuration change includes a hard-coded password value "lsjdfa8u4uqf" directly in the database configuration file, which is a security risk. Guidance: refer issues to the security team |
| Policy |
graphql-auth-check |
| Result |
The change explicitly modifies the authorized? method in BaseMutation to always return true. Since this is the base class that all GraphQL mutations inherit from (as confirmed by checking delete_user.rb which inherits from BaseMutation), this means ALL GraphQL mutations will bypass authentication checks. The authorized? method is a standard GraphQL authorization hook that should perform actual authentication checks, but this change makes it return true unconditionally. |
💭 Unconfirmed Findings (2)
| Vulnerability |
Authorization Bypass in GraphQL Mutations |
| Description |
Critical vulnerability in app/graphql/mutations/base_mutation.rb where the authorize method unconditionally returns true, effectively disabling all authorization checks and allowing unrestricted access to all resources for mutations inheriting from BaseMutation. |
| Vulnerability |
Hardcoded Database Credentials |
| Description |
Security risk in config/database.yml where sensitive database password is directly embedded in the configuration file, potentially exposing credentials and enabling unauthorized database access if the file is compromised. |
All finding details can be found in the DryRun Security Dashboard.
